I found this thread, but wasn't able to get it to work for me:
https://answers.splunk.com/answers/74245/joining-data-from-2-data-sources-in-splunk.html
I have 2 sources that I would like to display in a table. The two sources use 2 columns as the "join" to know that it's the same data.
In other words i have:
Source A, Column_A, Column_B (as well as other columns)
Source B, Column_A, Column_C (as well as other columns)
Column_A=Column_A and Column_B=Column_C (has to be both matching, not just one set of columns or the others)
Based on the link above, I have tried:
index=index* (sourcetype=A OR sourcetype=B)
| rename Column_C as Column_B
| table
Maybe it doesn't matter, but I'm hung up on how Slunk knows what to join on if I don't tell it.
↧