Splunk Search

Getting data from seperate searches where fields are not the same name

jfraley
Explorer

I have two searches, one that gives me a table:

  1. index="netapp_snapmirror_reports" source="/var/tmp/netapp_snapmirror/splunk_flexclone_detail.csv"
  2. |table vserver,flexclone,flexclone_used_percent,parent_snapshot,parent_volume

The second from another index gives me a table of volume and used space:

  1. index="netapp_snapmirror_reports" source="/var/tmp/netapp_snapmirror/splunk_volume_detail.csv" volume=*
  2. |table volume space_used

I need to combine these two for a single table. The second search needs to use the value of parent_volume in the first search so volume=parent_volume to get the space_used.

I have tried various subsearches with appendcols, but nothing has given me my results. I can't seem to get the second search to use volume={the value of parent_volume} in the search.

Tags (1)
0 Karma
1 Solution

jfraley
Explorer

This gave me the details I was looking for:

index="netapp_snapmirror_reports" source="/var/tmp/netapp_snapmirror/splunk_flexclone_detail.csv"
|rename parent_volume as volume
| join volume [search index="netapp_snapmirror_reports" source="/var/tmp/netapp_snapmirror/splunk_volume_detail.csv"]
|table vserver flexclone flexclone_used_percent volume percent_used parent_snapshot
|rename volume as "parent_volume"

View solution in original post

0 Karma

jfraley
Explorer

This gave me the details I was looking for:

index="netapp_snapmirror_reports" source="/var/tmp/netapp_snapmirror/splunk_flexclone_detail.csv"
|rename parent_volume as volume
| join volume [search index="netapp_snapmirror_reports" source="/var/tmp/netapp_snapmirror/splunk_volume_detail.csv"]
|table vserver flexclone flexclone_used_percent volume percent_used parent_snapshot
|rename volume as "parent_volume"
0 Karma

niketn
Legend

@jfraley can you try the following stats

index="netapp_snapmirror_reports" AND (source="/var/tmp/netapp_snapmirror/splunk_flexclone_detail.csv") OR (source="/var/tmp/netapp_snapmirror/splunk_volume_detail.csv" volume=*) 
| eval mergedVolume=if(match(source,"splunk_flexclone_detail.csv"),parent_volume,volume) 
| stats last(vserver) as vserver,last(flexclone) as flexclone,last(flexclone_used_percent) as flexclone_used_percent,last(parent_snapshot) as parent_snapshot last(space_used) as space_used by mergedVolume
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Vijeta
Influencer

@jfraley Did you try using join?

0 Karma

jfraley
Explorer

Well, I had tried, but did not get my results. I just tried join again and was able to get what I needed. Here is what I have:

  1. index="netapp_snapmirror_reports" source="/var/tmp/netapp_snapmirror/splunk_flexclone_detail.csv"
  2. |rename parent_volume as volume
  3. | join volume [search index="netapp_snapmirror_reports" source="/var/tmp/netapp_snapmirror/splunk_volume_detail.csv"]
  4. |table vserver flexclone flexclone_used_percent volume percent_used parent_snapshot
  5. |rename volume as "parent_volume"

Thanks

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...