https://community.splunk.com/t5/Splunk-Search/Join-with-quot-eventstats-quot-on-a-non-unique-field/m-p/373848#M109926 <P>@kcollori - Can you explain how this differs from (or adds requirements to) your use case in this question? <A href="https://answers.splunk.com/answers/578302/how-to-join-2-indexes-by-common-field-respective-t.html#answer-579343">https://answers.splunk.com/answers/578302/how-to-join-2-indexes-by-common-field-respective-t.html#answer-579343</A></P> <P>When trying to connect something that is non-unique, you have to create uniqueness by a time limit or some other unique characteristic. That generally is going to require <CODE>streamstats</CODE> rather than <CODE>eventstats</CODE>. </P> <P>You...</P> <UL> <LI>collect all the events that might be relevant,</LI> <LI>sort them in order (remember <CODE>sort 0</CODE> so you don't lose any),</LI> <LI>copy the information you need from one type of record forward or backward onto the other type of record using <CODE>streamstats</CODE>,<BR /></LI> <LI>get rid of any records that are now redundant </LI> <LI>... occasionally <CODE>eventstats</CODE> is useful right here to collect remaining information together ... </LI> <LI> then calculate and present your information.</LI> </UL> Wed, 04 Oct 2017 13:31:52 GMT DalJeanis 2017-10-04T13:31:52Z https://community.splunk.com/t5/Splunk-Search/Join-with-quot-eventstats-quot-on-a-non-unique-field/m-p/373845#M109923 <P>Hello there,</P> <P>I have 2 indexes <STRONG>[customer_id, datetime]</STRONG> and <STRONG>[customer_id, date_of_creation, motive]</STRONG> with a common field "<STRONG>customer_id</STRONG>". I would like to perform a join of my indexes on this fields knowing that the values in each indexe can be non unique.</P> <P>As I don't want to use the function <STRONG>Join</STRONG> of Splunk because of its limits, I use <STRONG>Eventstats</STRONG> instead. But the problem is that for the non unique values, I get multivalue fields concerning <STRONG>datetime</STRONG>, <STRONG>date_of_creation</STRONG> and <STRONG>motive</STRONG>.</P> <P>How could I proceed to get the same result as a join would do (without using Join !) ?</P> <P>Thanks in advance ! <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> Tue, 29 Sep 2020 16:05:39 GMT https://community.splunk.com/t5/Splunk-Search/Join-with-quot-eventstats-quot-on-a-non-unique-field/m-p/373845#M109923 kcollori 2020-09-29T16:05:39Z https://community.splunk.com/t5/Splunk-Search/Join-with-quot-eventstats-quot-on-a-non-unique-field/m-p/373846#M109924 <P>Have you tried <CODE>stats</CODE>?</P> <PRE><CODE>index=index1 OR index=index2 customer_id=* | stats values(datetime) as datetime values(date_of_creation) as date_of_creation values(motive) as motive by customer_id | ... </CODE></PRE> Wed, 04 Oct 2017 13:06:49 GMT https://community.splunk.com/t5/Splunk-Search/Join-with-quot-eventstats-quot-on-a-non-unique-field/m-p/373846#M109924 richgalloway 2017-10-04T13:06:49Z https://community.splunk.com/t5/Splunk-Search/Join-with-quot-eventstats-quot-on-a-non-unique-field/m-p/373847#M109925 <P>Yes I tried but it still gives me multivalue fields <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P> Wed, 04 Oct 2017 13:08:38 GMT https://community.splunk.com/t5/Splunk-Search/Join-with-quot-eventstats-quot-on-a-non-unique-field/m-p/373847#M109925 kcollori 2017-10-04T13:08:38Z https://community.splunk.com/t5/Splunk-Search/Join-with-quot-eventstats-quot-on-a-non-unique-field/m-p/373848#M109926 <P>@kcollori - Can you explain how this differs from (or adds requirements to) your use case in this question? <A href="https://answers.splunk.com/answers/578302/how-to-join-2-indexes-by-common-field-respective-t.html#answer-579343">https://answers.splunk.com/answers/578302/how-to-join-2-indexes-by-common-field-respective-t.html#answer-579343</A></P> <P>When trying to connect something that is non-unique, you have to create uniqueness by a time limit or some other unique characteristic. That generally is going to require <CODE>streamstats</CODE> rather than <CODE>eventstats</CODE>. </P> <P>You...</P> <UL> <LI>collect all the events that might be relevant,</LI> <LI>sort them in order (remember <CODE>sort 0</CODE> so you don't lose any),</LI> <LI>copy the information you need from one type of record forward or backward onto the other type of record using <CODE>streamstats</CODE>,<BR /></LI> <LI>get rid of any records that are now redundant </LI> <LI>... occasionally <CODE>eventstats</CODE> is useful right here to collect remaining information together ... </LI> <LI> then calculate and present your information.</LI> </UL> Wed, 04 Oct 2017 13:31:52 GMT https://community.splunk.com/t5/Splunk-Search/Join-with-quot-eventstats-quot-on-a-non-unique-field/m-p/373848#M109926 DalJeanis 2017-10-04T13:31:52Z