{"id":66983,"date":"2022-11-23T13:03:20","date_gmt":"2022-11-23T13:03:20","guid":{"rendered":"https:\/\/merikebi.warrenmyers.com\/?p=66983"},"modified":"2022-11-23T13:03:20","modified_gmt":"2022-11-23T13:03:20","slug":"answer-by-warren-for-how-can-i-conditionally-create-splunk-field-aliases","status":"publish","type":"post","link":"https:\/\/merikebi.warrenmyers.com\/?p=66983","title":{"rendered":"Answer by warren for How can I conditionally create splunk field aliases?"},"content":{"rendered":"<p>Some of the answers on here are on a good track (especially @<a href=\"https:\/\/stackoverflow.com\/users\/1313441\/adrian-hall\">Adrian Hall<\/a>&#8216;s <a href=\"https:\/\/stackoverflow.com\/a\/29243199\/4418\">suggestion<\/a> to use <a href=\"https:\/\/docs.splunk.com\/Documentation\/Splunk\/latest\/SearchReference\/ConditionalFunctions#coalesce.28.26lt.3Bvalues.29\" rel=\"nofollow noreferrer\"><code>eval ... coalesce()<\/code><\/a><\/p>\n<p>But this is simpler:<\/p>\n<pre><code>(index=ndx1 sourcetype=srctp userId=* client=* version=*) OR (index=ndx2 sourcetype=srctp2 fooid=* speed=*)\n| rename fooid as userId\n| stats values(client) as client values(version) as version values(speed) as speed by userId\n| where isnotnull(version) AND isnotnull(client) AND isnotnull(speed)\n<\/code><\/pre>\n<p>You have to combine the different logs before looking for commonalities &#8211; one way is with <a href=\"https:\/\/docs.splunk.com\/Documentation\/Splunk\/latest\/SearchReference\/join\" rel=\"nofollow noreferrer\"><code>join<\/code><\/a>, but it&#8217;s <em>usually<\/em> not the right choice &#8211; especially when you can leverage <a href=\"https:\/\/docs.splunk.com\/Documentation\/Splunk\/latest\/SearchReference\/stats\" rel=\"nofollow noreferrer\"><code>stats<\/code><\/a> to your advantage \ud83d\ude42<\/p>\n<p>Depending on your time frame, using <a href=\"https:\/\/docs.splunk.com\/Documentation\/Splunk\/latest\/SearchReference\/fields\" rel=\"nofollow noreferrer\"><code>fields<\/code><\/a> to drop the raw event (<code>_raw<\/code>) and keep only what you plan to use is likely to be notably faster, too (even if it&#8217;s not <em>faster<\/em>, it will return a <strong>lot<\/strong> less data, meaning you won&#8217;t bump against any user quotas as quickly):<\/p>\n<pre><code>(index=ndx1 sourcetype=srctp userId=* client=* version=*) OR (index=ndx2 sourcetype=srctp2 fooid=* speed=*)\n| fields - _raw\n| fields fooid userId client version speed\n| rename fooid as userId\n| stats values(client) as client values(version) as version values(speed) as speed by userId\n| where isnotnull(version) AND isnotnull(client) AND isnotnull(speed)\n<\/code><\/pre>\n<p>from User warren &#8211; Stack Overflow https:\/\/stackoverflow.com\/questions\/10019793\/how-can-i-conditionally-create-splunk-field-aliases\/74547217#74547217<br \/>\nvia <a href=\"https:\/\/ifttt.com\/?ref=da&#038;site=wordpress\">IFTTT<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Some of the answers on here are on a good track (especially @Adrian Hall&#8216;s suggestion to use eval &#8230; coalesce() But this is simpler: (index=ndx1 sourcetype=srctp userId=* client=* version=*) OR (index=ndx2 sourcetype=srctp2 fooid=* speed=*) | rename fooid as userId | stats values(client) as client values(version) as version values(speed) as speed by userId | where isnotnull(version) &hellip;<br \/><a href=\"https:\/\/merikebi.warrenmyers.com\/?p=66983\" class=\"more-link pen_button pen_element_default pen_icon_arrow_double\">Continue reading <span class=\"screen-reader-text\">Answer by warren for How can I conditionally create splunk field aliases?<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[991],"keyring_services":[],"class_list":["post-66983","post","type-post","status-publish","format-standard","hentry","category-blih","tag-stackexchange"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/66983","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=66983"}],"version-history":[{"count":1,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/66983\/revisions"}],"predecessor-version":[{"id":66984,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/66983\/revisions\/66984"}],"wp:attachment":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=66983"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=66983"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=66983"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fkeyring_services&post=66983"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}