How can I conditionally create splunk field aliases?

Question

I'm trying to combine info from two different logs into a single query, but I'm not sure how, or if, I can do it. Essentially I want to do this:

LOG 1:
<client=foo userId=1234 version=10>
<client=foo userId=5432 version=8>
<client=bar userId=4567 version=4>

LOG 2:
fooid=1234 speed=500
fooid=5432 speed=300

What I'm trying to do is gather statistics on the speed of all users who's version == 10.

From what I've read, if I make an alias of userId == fooid, this might be possible by saying something like this:

fooid=* AND version=10

However, I still have the problem that not all userIds are fooids. So I would like to be able to create a fooid field alias in Log 1, but only if the client=foo. Is this possible, and if so, how can I do it?

Also, if there's some other way to perform this search it would be greatly appreciatied.

Answer 1

Are you bringing in these logs into the same index or do you have them going to separate indexes? You should be able to do something like index=FOO OR index=FOO2 | search fooid=* AND version=10 if your are bringing into separate indexes.

There is a search cheat sheet on our developer site (http://dev.splunk.com) - http://dev.splunk.com/web_assets/developers/pdf/splunk_reference.pdf

and the search language reference guide can help as well: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/WhatsInThisManual

Answer 2

This should do the trick:

index=FOO (sourcetype=LOG1 client=foo version=10) OR (sourcetype=LOG2) 
| eval user=coalesce(fooid,userid) 
| stats avg(speed) by user

The coalesce eval says "user is fooid if it exists, otherwise user is userid". Other than that, I've just put the appropriate search in to just grab the data you want and a simple stats.

Answer 3

Do this at search time like this: index=FOO OR index=FOO2 | eval mergedID=if(isnotnull(fooid),fooid,userId) | transaction mergedID | stats min(speed) max(speed) avg(speed) by version