https://community.splunk.com/t5/Splunk-Search/correlate-data-without-subsearch-or-transaction/m-p/291533#M162012 <P>Hi,</P> <P>I got data that have some fields missing in some events, e.g.</P> <PRE><CODE>field1 field2 field3 field4 field5 A val1 B val2 A B val3 C val5 D val4 C D val6 </CODE></PRE> <P>and want to group by either field1 or field2 to make output like this:</P> <PRE><CODE>field1 field2 field3 field4 field5 A B val2 val1 val3 C D val4 val5 val6 </CODE></PRE> <P>I tried to avoid join, subsearch, or transaction. Is it possible?<BR /> Sorry for newbie question.</P> <P>Thanks and rgds<BR /> /st wong</P> Tue, 27 Mar 2018 10:07:46 GMT stwong 2018-03-27T10:07:46Z https://community.splunk.com/t5/Splunk-Search/correlate-data-without-subsearch-or-transaction/m-p/291533#M162012 <P>Hi,</P> <P>I got data that have some fields missing in some events, e.g.</P> <PRE><CODE>field1 field2 field3 field4 field5 A val1 B val2 A B val3 C val5 D val4 C D val6 </CODE></PRE> <P>and want to group by either field1 or field2 to make output like this:</P> <PRE><CODE>field1 field2 field3 field4 field5 A B val2 val1 val3 C D val4 val5 val6 </CODE></PRE> <P>I tried to avoid join, subsearch, or transaction. Is it possible?<BR /> Sorry for newbie question.</P> <P>Thanks and rgds<BR /> /st wong</P> Tue, 27 Mar 2018 10:07:46 GMT https://community.splunk.com/t5/Splunk-Search/correlate-data-without-subsearch-or-transaction/m-p/291533#M162012 stwong 2018-03-27T10:07:46Z https://community.splunk.com/t5/Splunk-Search/correlate-data-without-subsearch-or-transaction/m-p/291534#M162013 <P>Did you try<CODE>appendcols</CODE>? Like:</P> <PRE><CODE>..... | stats values(field3) AS field3 values(field4) AS field4 values(field5) AS field5 by field1 | appendcols [search index="abc_new" sourcetype="csv" | stats values(field3) AS field3 values(field4) AS field4 values(field5) AS field5 by field2] |table field1 field2 field3 field4 field5 </CODE></PRE> Tue, 27 Mar 2018 10:39:20 GMT https://community.splunk.com/t5/Splunk-Search/correlate-data-without-subsearch-or-transaction/m-p/291534#M162013 p_gurav 2018-03-27T10:39:20Z https://community.splunk.com/t5/Splunk-Search/correlate-data-without-subsearch-or-transaction/m-p/291535#M162014 <P>Thanks, but can appendcols do something like following?</P> <P>..| stats values(field3) as field3, values(field4) as field4, values(field5) as field5 by "either field1 or field2" ?</P> <P>and also hope to avoid subsearches.</P> <P>Thanks and rgds</P> Tue, 27 Mar 2018 12:21:43 GMT https://community.splunk.com/t5/Splunk-Search/correlate-data-without-subsearch-or-transaction/m-p/291535#M162014 stwong 2018-03-27T12:21:43Z https://community.splunk.com/t5/Splunk-Search/correlate-data-without-subsearch-or-transaction/m-p/291536#M162015 <P>I'd approach this by using eventstats before stats, given the data you presented. </P> <P>First, cross-apply the values from field1 and field2:</P> <PRE><CODE>| eventstats values(field1) AS field1 BY field2 </CODE></PRE> <P>This should take your first table and make it look like this:</P> <PRE><CODE> field1 field2 field3 field4 field5 A val1 A B val2 A B val3 C val5 C D val4 C D val6 </CODE></PRE> <P>Now every row in the table has a value for <CODE>field1</CODE>, making it possible to use stats to populate the table:</P> <PRE><CODE>| stats values(field2) AS field2 values(field3) AS field3 values(field4) AS field4 values(field5) AS field5 BY field1 </CODE></PRE> <P>If that doesn't work, it means the table likely has some instances where there is no value for field1, like maybe this:</P> <PRE><CODE> field1 field2 field3 field4 field5 A val1 A B val2 A B val3 C val5 C D val4 C D val6 E val7 E val8 </CODE></PRE> <P>If your data has events like that, I can help you adjust your search. It'll be a little more complex, but it's still doable.</P> Tue, 27 Mar 2018 13:33:01 GMT https://community.splunk.com/t5/Splunk-Search/correlate-data-without-subsearch-or-transaction/m-p/291536#M162015 elliotproebstel 2018-03-27T13:33:01Z https://community.splunk.com/t5/Splunk-Search/correlate-data-without-subsearch-or-transaction/m-p/291537#M162016 <P>Hi, it works perfectly. Thanks a lot.</P> Wed, 28 Mar 2018 09:51:13 GMT https://community.splunk.com/t5/Splunk-Search/correlate-data-without-subsearch-or-transaction/m-p/291537#M162016 stwong 2018-03-28T09:51:13Z