Splunk Search

How can one combine two fields with the same values- but different field names- to aggregate data from multiple sourcetypes?

amcb90
Engager

I have two fields with the same values but different field names.

index= network
sourcetype= firewall
The source IP field is "src"
sourcetype= logins
The source IP field is "src_ip"

I would like to be able to combine the results of both in a stats table to have a line item contain info from both sourcetypes:
example:

index=network sourcetype=firewall OR sourcetype=logins |(Whatever I need to do to combine two fields into one) | stats values(username) as Usernames, values(alert) as Alerts by (NEW_Source_IP_Field_Name)
0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

You could use coalesce in your search:

[YOUR BASE SEARCH]
| eval newfield=coalesce(field1,field2)

This will merge the values of both fields into one field.

Vijeta
Influencer

@ambc90 Try this -

index=network sourcetype=firewall OR sourcetype=logins |rename src_ip as src| stats values(username) as Usernames, values(alert) as Alerts by src

OR you can use

index=network sourcetype=firewall OR sourcetype=logins |eval src=coalesce(src,src_ip)| stats values(username) as Usernames, values(alert) as Alerts by src
0 Karma

Sukisen1981
Champion
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...