In Splunk, I have a search producing a result table like this:
_time | A | B | C |
---|---|---|---|
2022-10-19 09:00:00 | A1 | B1 | C1 |
2022-10-19 09:00:00 | A2 | B2 | C2 |
2022-10-19 09:10:20 | A3 | B3 | C3 |
Now, for each row, I want to run a second search, using the _time
value as input parameter.
For above row 1 and 2 (same _time
value), the result of the second search would be:
_time | D | E |
---|---|---|
2022-10-19 09:00:00 | D1 | E1 |
For above row 3, the result of the second search would be:
_time | D | E |
---|---|---|
2022-10-19 09:10:20 | D3 | E3 |
And now I want to output the results in a common table, like this:
_time | A | B | C | D | E |
---|---|---|---|---|---|
2022-10-19 09:00:00 | A1 | B1 | C1 | D1 | E1 |
2022-10-19 09:00:00 | A2 | B2 | C2 | D1 | E1 |
2022-10-19 09:10:20 | A3 | B3 | C3 | D3 | E3 |
I experimented with join, append, map, appendcols and subsearch, but I am struggling both with the row-by-row character of the second search and with pulling to data together into one common table.
For example, appendcols simply tacks one result table onto another, even if they are completely unrelated and differently shaped. Like so:
_time | A | B | C | D | E |
---|---|---|---|---|---|
2022-10-19 09:00:00 | A1 | B1 | C1 | D1 | E1 |
2022-10-19 09:00:00 | A2 | B2 | C2 | - | - |
2022-10-19 09:10:20 | A3 | B3 | C3 | - | - |
Can anybody please point me into the right direction?