https://community.splunk.com/t5/Splunk-Search/Using-join-statement-with-count-and-dedup/m-p/66136#M16418 <P>I have the current statement using append:</P> <PRE><CODE>search_term1 | stats count by ip_address | table ip_address count | append [search search_term1 | dedup ip_address | table ipaddress _raw] </CODE></PRE> <P>which makes a table rows:</P> <P>ip_address---------- count ------------ _raw </P> <P>123.456.1.1 -------- 520 ------------------</P> <P>123.456.1.1 ----------------------------- raw data</P> <P>I would like to combine my data into single lines:</P> <P>ip_address---------- count ------------ _raw </P> <P>123.456.1.1 -------- 520 -------------- raw data</P> <P>It seems that I should use the join statement but when I do the raw data refuses to display at all. Please help! Thanks!</P> Mon, 17 Jun 2013 21:22:11 GMT cpeteman 2013-06-17T21:22:11Z https://community.splunk.com/t5/Splunk-Search/Using-join-statement-with-count-and-dedup/m-p/66136#M16418 <P>I have the current statement using append:</P> <PRE><CODE>search_term1 | stats count by ip_address | table ip_address count | append [search search_term1 | dedup ip_address | table ipaddress _raw] </CODE></PRE> <P>which makes a table rows:</P> <P>ip_address---------- count ------------ _raw </P> <P>123.456.1.1 -------- 520 ------------------</P> <P>123.456.1.1 ----------------------------- raw data</P> <P>I would like to combine my data into single lines:</P> <P>ip_address---------- count ------------ _raw </P> <P>123.456.1.1 -------- 520 -------------- raw data</P> <P>It seems that I should use the join statement but when I do the raw data refuses to display at all. Please help! Thanks!</P> Mon, 17 Jun 2013 21:22:11 GMT https://community.splunk.com/t5/Splunk-Search/Using-join-statement-with-count-and-dedup/m-p/66136#M16418 cpeteman 2013-06-17T21:22:11Z https://community.splunk.com/t5/Splunk-Search/Using-join-statement-with-count-and-dedup/m-p/66137#M16419 <P>I was able to solve this by using selfjoin statement: </P> <PRE><CODE>search_term1 | stats count by ip_address | rename ip_address as sip_address | rename count as scount | table sip_address,scount | append [ search search_term1 | dedup ip_address | rename ip_address as sip_address | table sip_address,_raw ] | selfjoin sip_address </CODE></PRE> Mon, 17 Jun 2013 23:38:16 GMT https://community.splunk.com/t5/Splunk-Search/Using-join-statement-with-count-and-dedup/m-p/66137#M16419 cpeteman 2013-06-17T23:38:16Z https://community.splunk.com/t5/Splunk-Search/Using-join-statement-with-count-and-dedup/m-p/66138#M16420 <P>Although I would still like to know why it is that count must be renamed.</P> Fri, 28 Jun 2013 21:01:48 GMT https://community.splunk.com/t5/Splunk-Search/Using-join-statement-with-count-and-dedup/m-p/66138#M16420 cpeteman 2013-06-28T21:01:48Z https://community.splunk.com/t5/Splunk-Search/Using-join-statement-with-count-and-dedup/m-p/66139#M16421 <P>If anyone need help with a problem similar to this feel free to comment.</P> Mon, 01 Jul 2013 23:16:49 GMT https://community.splunk.com/t5/Splunk-Search/Using-join-statement-with-count-and-dedup/m-p/66139#M16421 cpeteman 2013-07-01T23:16:49Z https://community.splunk.com/t5/Splunk-Search/Using-join-statement-with-count-and-dedup/m-p/66140#M16422 <P>I've had to do a fair bit more on this stuff since I asked so I may have a shot at helping</P> Mon, 01 Jul 2013 23:17:23 GMT https://community.splunk.com/t5/Splunk-Search/Using-join-statement-with-count-and-dedup/m-p/66140#M16422 cpeteman 2013-07-01T23:17:23Z