https://community.splunk.com/t5/Splunk-Search/join-only-with-the-first-row/m-p/574527#M200218 <P><SPAN class=""><SPAN class=""><SPAN>That is a perfect solution.</SPAN></SPAN> <SPAN class=""><SPAN>Thank you very much!</SPAN></SPAN></SPAN></P> Thu, 11 Nov 2021 07:30:28 GMT rafadvega 2021-11-11T07:30:28Z https://community.splunk.com/t5/Splunk-Search/join-only-with-the-first-row/m-p/574460#M200190 <P>Hi,</P><P>I need to join two searchs. For example:</P><P>Example 1:</P><P>&nbsp;</P><LI-CODE lang="markup">| inputlookup join_example1.csv</LI-CODE><P>&nbsp;</P><TABLE width="216"><TBODY><TR><TD width="54">country</TD><TD width="48">product</TD><TD width="75">day</TD><TD width="39">stock</TD></TR><TR><TD>Spain</TD><TD>apples</TD><TD>10/10/2022</TD><TD>25</TD></TR><TR><TD>France</TD><TD>apples</TD><TD>10/10/2022</TD><TD>22</TD></TR><TR><TD>Spain</TD><TD>grapes</TD><TD>10/10/2022</TD><TD>30</TD></TR><TR><TD>France</TD><TD>grapes</TD><TD>10/10/2022</TD><TD>28</TD></TR><TR><TD>Spain</TD><TD>apples</TD><TD>10/10/2021</TD><TD>25</TD></TR><TR><TD>France</TD><TD>apples</TD><TD>10/10/2021</TD><TD>22</TD></TR><TR><TD>Spain</TD><TD>grapes</TD><TD>10/10/2021</TD><TD>30</TD></TR><TR><TD>France</TD><TD>grapes</TD><TD>10/10/2021</TD><TD>28</TD></TR></TBODY></TABLE><P>&nbsp;</P><P><SPAN>Example 2:</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">| inputlookup join_example2.csv</LI-CODE><P>&nbsp;</P><TABLE width="201"><TBODY><TR><TD width="75">day</TD><TD width="55">product</TD><TD width="71">requested</TD></TR><TR><TD>10/10/2022</TD><TD>apples</TD><TD>90</TD></TR><TR><TD>10/10/2021</TD><TD>apples</TD><TD>110</TD></TR><TR><TD>10/10/2022</TD><TD>grapes</TD><TD>100</TD></TR><TR><TD>10/10/2021</TD><TD>grapes</TD><TD>110</TD></TR></TBODY></TABLE><P><SPAN><BR />If I join bot searchs:</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">| inputlookup join_example1.csv | join product, day [| inputlookup join_example2.csv] | table product day country stock requested</LI-CODE><P>&nbsp;</P><P>The result is:</P><TABLE width="294"><TBODY><TR><TD width="55">product</TD><TD width="75">day</TD><TD width="54">country</TD><TD width="39">stock</TD><TD width="71">requested</TD></TR><TR><TD>apples</TD><TD>10/10/2022</TD><TD>Spain</TD><TD>25</TD><TD>90</TD></TR><TR><TD>apples</TD><TD>10/10/2022</TD><TD>France</TD><TD>22</TD><TD>90</TD></TR><TR><TD>grapes</TD><TD>10/10/2022</TD><TD>Spain</TD><TD>30</TD><TD>100</TD></TR><TR><TD>grapes</TD><TD>10/10/2022</TD><TD>France</TD><TD>28</TD><TD>100</TD></TR><TR><TD>apples</TD><TD>10/10/2021</TD><TD>Spain</TD><TD>25</TD><TD>110</TD></TR><TR><TD>apples</TD><TD>10/10/2021</TD><TD>France</TD><TD>22</TD><TD>110</TD></TR><TR><TD>grapes</TD><TD>10/10/2021</TD><TD>Spain</TD><TD>30</TD><TD>110</TD></TR><TR><TD>grapes</TD><TD>10/10/2021</TD><TD>France</TD><TD>28</TD><TD>110</TD></TR></TBODY></TABLE><P>&nbsp;</P><P><SPAN>But</SPAN><SPAN>&nbsp;I need the sub search merges only with the first result like this (only in one country):</SPAN></P><TABLE width="294"><TBODY><TR><TD width="55">product</TD><TD width="75">day</TD><TD width="54">country</TD><TD width="39">stock</TD><TD width="71">requested</TD></TR><TR><TD>apples</TD><TD>10/10/2022</TD><TD>Spain</TD><TD>25</TD><TD>90</TD></TR><TR><TD>apples</TD><TD>10/10/2022</TD><TD>France</TD><TD>22</TD><TD>0</TD></TR><TR><TD>grapes</TD><TD>10/10/2022</TD><TD>Spain</TD><TD>30</TD><TD>100</TD></TR><TR><TD>grapes</TD><TD>10/10/2022</TD><TD>France</TD><TD>28</TD><TD>0</TD></TR><TR><TD>apples</TD><TD>10/10/2021</TD><TD>Spain</TD><TD>25</TD><TD>110</TD></TR><TR><TD>apples</TD><TD>10/10/2021</TD><TD>France</TD><TD>22</TD><TD>0</TD></TR><TR><TD>grapes</TD><TD>10/10/2021</TD><TD>Spain</TD><TD>30</TD><TD>110</TD></TR><TR><TD>grapes</TD><TD>10/10/2021</TD><TD>France</TD><TD>28</TD><TD>0</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>That is only a example, I need only merge subsearchs results once. Anyone knows a solution for this?</P><P>Thanks!!!</P> Wed, 10 Nov 2021 17:46:54 GMT https://community.splunk.com/t5/Splunk-Search/join-only-with-the-first-row/m-p/574460#M200190 rafadvega 2021-11-10T17:46:54Z https://community.splunk.com/t5/Splunk-Search/join-only-with-the-first-row/m-p/574504#M200213 <P>You can add this to the end of your example search</P><LI-CODE lang="markup">| streamstats c by product day | eval requested=if(c=1,requested,0) | fields - c</LI-CODE><P>which simply does a count by product and day and then sets requested to 0 if the count value is not 1</P><P>Not sure if this will give you a general solution though.</P><P>&nbsp;</P> Wed, 10 Nov 2021 21:50:18 GMT https://community.splunk.com/t5/Splunk-Search/join-only-with-the-first-row/m-p/574504#M200213 bowesmana 2021-11-10T21:50:18Z https://community.splunk.com/t5/Splunk-Search/join-only-with-the-first-row/m-p/574527#M200218 <P><SPAN class=""><SPAN class=""><SPAN>That is a perfect solution.</SPAN></SPAN> <SPAN class=""><SPAN>Thank you very much!</SPAN></SPAN></SPAN></P> Thu, 11 Nov 2021 07:30:28 GMT https://community.splunk.com/t5/Splunk-Search/join-only-with-the-first-row/m-p/574527#M200218 rafadvega 2021-11-11T07:30:28Z