Hi,
I have two different indexes where I need to match a field and if true, return another field.
First Search (Index1)
FileName DeviceName
explorer.exe myserver.test.com
processor.dll anothersystem.xyz.abc
third.exe yetanother.aaa.bbb
another.exe myserver.test.com
Second search (Index2)
HostName Owner
MYserver.test.com bob@sample.com
nonEXistent.abc.ccc larry@sample.com
yetANOTHER.aaa.bbb charlie@sample.com
Desired search result
DeviceName FileName Owner
myserver.test.com explorer.exe bob@sample.com
another.exe
yetanother.aaa.bbb third.exe charlie@sample.com
Couple of things to notice
- I need to show results where DeviceName and HostName match. Both fields may be in different case (so case insensitive matching is required)
- If DeviceName==HostName, I need the Owner field returned from Index2
- One DeviceName/HostName may have many FileNames under it and I need to display all (explorer.exe + another.exe)
I've been tinkering around and am having a hard time finding the right query. Here's where I'm at.
(index=index1 sourcetype=type1 FileName=somecondition*) OR (index=index2 sourcetype=type2)
| fields FileName, DeviceName, Owner, HostName
| eval magic=case(DeviceName==HostName, Owner)
| stats list(FileName) as FileName, list(magic) as SysOwner by DeviceName
Although it doesn't work. I tried variations of the eval statement using `if`, `coalesce` and a few other solutions from other questions. But I believe the case difference between the two fields is what is hindering me.
I'm still new to Splunk and any help would be appreciated! :)
↧