Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting data from seperate searches where fields are not the same name

jfraley
Explorer
‎07-18-2019 09:41 AM

I have two searches, one that gives me a table:

  1. index="netapp_snapmirror_reports" source="/var/tmp/netapp_snapmirror/splunk_flexclone_detail.csv"
  2. |table vserver,flexclone,flexclone_used_percent,parent_snapshot,parent_volume

The second from another index gives me a table of volume and used space:

  1. index="netapp_snapmirror_reports" source="/var/tmp/netapp_snapmirror/splunk_volume_detail.csv" volume=*
  2. |table volume space_used

I need to combine these two for a single table. The second search needs to use the value of parent_volume in the first search so volume=parent_volume to get the space_used.

I have tried various subsearches with appendcols, but nothing has given me my results. I can't seem to get the second search to use volume={the value of parent_volume} in the search.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jfraley
Explorer
‎07-19-2019 10:38 AM

This gave me the details I was looking for:

index="netapp_snapmirror_reports" source="/var/tmp/netapp_snapmirror/splunk_flexclone_detail.csv"
|rename parent_volume as volume
| join volume [search index="netapp_snapmirror_reports" source="/var/tmp/netapp_snapmirror/splunk_volume_detail.csv"]
|table vserver flexclone flexclone_used_percent volume percent_used parent_snapshot
|rename volume as "parent_volume"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jfraley
Explorer
‎07-19-2019 10:38 AM

This gave me the details I was looking for:

index="netapp_snapmirror_reports" source="/var/tmp/netapp_snapmirror/splunk_flexclone_detail.csv"
|rename parent_volume as volume
| join volume [search index="netapp_snapmirror_reports" source="/var/tmp/netapp_snapmirror/splunk_volume_detail.csv"]
|table vserver flexclone flexclone_used_percent volume percent_used parent_snapshot
|rename volume as "parent_volume"
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎07-18-2019 07:50 PM

@jfraley can you try the following stats

index="netapp_snapmirror_reports" AND (source="/var/tmp/netapp_snapmirror/splunk_flexclone_detail.csv") OR (source="/var/tmp/netapp_snapmirror/splunk_volume_detail.csv" volume=*) 
| eval mergedVolume=if(match(source,"splunk_flexclone_detail.csv"),parent_volume,volume) 
| stats last(vserver) as vserver,last(flexclone) as flexclone,last(flexclone_used_percent) as flexclone_used_percent,last(parent_snapshot) as parent_snapshot last(space_used) as space_used by mergedVolume
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎07-18-2019 10:23 AM

@jfraley Did you try using join?

0 Karma
Reply
Solved! Jump to solution

jfraley
Explorer
‎07-18-2019 11:48 AM

Well, I had tried, but did not get my results. I just tried join again and was able to get what I needed. Here is what I have:

  1. index="netapp_snapmirror_reports" source="/var/tmp/netapp_snapmirror/splunk_flexclone_detail.csv"
  2. |rename parent_volume as volume
  3. | join volume [search index="netapp_snapmirror_reports" source="/var/tmp/netapp_snapmirror/splunk_volume_detail.csv"]
  4. |table vserver flexclone flexclone_used_percent volume percent_used parent_snapshot
  5. |rename volume as "parent_volume"

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...