All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Cacatenate and Search in 2 different Sources

muru143
New Member
‎06-07-2013 05:25 PM

Hi Splunk Experts,

I have 2 files

File1:

Filer_Name    Dept     Volume_Name    Vol_Total    Vol_Used

Abcd                   Vol1           100          50

File 2:

Filer_Name    Dept     Volume_Name    Vol_Total    Vol_Used

Abcd          IT       Vol1

File 1 is generated by storage monitoring script and file 2 is maintained manually with Dept name.

What I want to do is, I want to concatenate “Filer_Name” and “Volume_Name” in both files and based on the value lookup for Dept in File2.
How can do this in Splunk?

I got to the point of concatenating the fields in file 1, but not sure how to do lookup based in concatenated value from file 2.

I have indexed both files in splunk.

Can anyone tell me if this is possible.

Thanks for your help,

Muru

0 Karma
Reply

muru143
New Member
‎06-11-2013 09:54 AM

basically I want to lookup a field from file2 by matching concatenation of fields "filer_name" and "vol_name" in file1 to concenation of same fields in file 2.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎06-09-2013 07:20 PM

I don't understand the question.

However you can concatenate fields with eval

... |eval newfield=field1 . field2

Typically if you want to use file2 as a table to enrich file1, it's more convenient to set up the data as a lookup. You could generate a lookup from file2 by doing some gymnastics like:

source=file2 | fields Filer_Name, Dept, Volume_Name |outputlookup my_lookup

you might have to set up some conf to comprehend your lookup for meaningful use.
More about lookups: http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsfromexternaldatasources

Once you have the lookup set up to work automatically or by invocation, it would become something like

source=file1 |lookup my_lookup | ...

where you may wish to filter the items to augment before or after the lookup.

0 Karma
Reply

muru143
New Member
‎06-11-2013 10:34 AM

Thanks, I was able to use lookup to accomplish what I wanted to do.

Thanks for your help,

-Muru

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-07-2013 11:48 PM

Many things are possible. Please show in more detail how you want the results presented. It's not really clear.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...