https://community.splunk.com/t5/Splunk-Search/How-to-join-value-using-wildcard-Urgent/m-p/154173#M43333 <P>Hi </P> <P>I tried this and cant get it to work, am i assuming the wilidard is * ?</P> <P>Thanks<BR /> Robert</P> Fri, 03 Nov 2017 16:15:08 GMT robertlynch2020 2017-11-03T16:15:08Z https://community.splunk.com/t5/Splunk-Search/How-to-join-value-using-wildcard-Urgent/m-p/154170#M43330 <P>I want to calculate the sum of count value in a tree form of data</P> <P><STRONG>Count table:</STRONG><BR /> <A href="http://i60.tinypic.com/2qs1bmf.png" target="_blank">http://i60.tinypic.com/2qs1bmf.png</A></P> <P>In count table, <BR /> 0.0 is child of 0,<BR /> 0.0.1 is child of 0.0,<BR /> 0.0.1.1 is child of 0.0.1,<BR /> 0.0.2 is child of 0.0,<BR /> 0.0.1.2 is child of 0.0.1,<BR /> 0.0.2.1 is child of 0.0.2,<BR /> 0.0.2.2 is child of 0.0.2</P> <P>Total count of the node = "sum of all offspring's count"+ self count </P> <P><STRONG>Expected result:</STRONG><BR /> <A href="http://i58.tinypic.com/vfy3oi.png" target="_blank">http://i58.tinypic.com/vfy3oi.png</A></P> <P>I think that I may build up the <STRONG>[Relationship] table</STRONG> first.<BR /> Like this: <A href="http://i57.tinypic.com/dd83o.png" target="_blank">http://i57.tinypic.com/dd83o.png</A><BR /> In SQL, I can write: <BR /> <STRONG>SELECT child.id SEQUENCE_ID,parent.id ELDER_GENERATION_SEQUENCE_ID FROM [count_table] child<BR /> INNER JOIN [count_table] parent on (child.id like parent.id + '%')</STRONG><BR /> But how about in Splunk??</P> <P>After having this table, I will group by the second column of [Relationship] table and sum them up.</P> <P><STRONG>What is the query to do this?</STRONG><BR /> Thank you!!!!!</P> Mon, 28 Sep 2020 17:48:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-value-using-wildcard-Urgent/m-p/154170#M43330 kelvin56887 2020-09-28T17:48:49Z https://community.splunk.com/t5/Splunk-Search/How-to-join-value-using-wildcard-Urgent/m-p/154171#M43331 <P>Try this workaround (runanywhere sample with your example data)</P> <PRE><CODE>|gentimes start=-1 |eval temp="0:1#0.0:0#0.0.1:0#0.0.1.1:1#0.0.2:0#0.0.1.2:1#0.0.2.1:1#0.0.2.2:1" |table temp | makemv delim="#" temp | mvexpand temp | rex field=temp "(?&lt;id&gt;.*):(?&lt;count&gt;.*)" |fields - temp | eval sno=mvcount(split(id,".")) | eval t=mvrange(1,sno+1) | mvexpand t |eval tid=substr(id,1,2*t -1)|stats sum(count) as count by tid </CODE></PRE> Tue, 07 Oct 2014 13:28:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-value-using-wildcard-Urgent/m-p/154171#M43331 somesoni2 2014-10-07T13:28:26Z https://community.splunk.com/t5/Splunk-Search/How-to-join-value-using-wildcard-Urgent/m-p/154172#M43332 <P>Yes, it's too late. But this might help someone looking for same now.</P> <P>For using wildcard, you can do something like this:</P> <P>| join type="join_type" wildcard("field_name_to_join" ) [inner search here]</P> <P>Hope this will help you all.</P> Tue, 29 Sep 2020 14:36:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-value-using-wildcard-Urgent/m-p/154172#M43332 BansodeSantosh 2020-09-29T14:36:09Z https://community.splunk.com/t5/Splunk-Search/How-to-join-value-using-wildcard-Urgent/m-p/154173#M43333 <P>Hi </P> <P>I tried this and cant get it to work, am i assuming the wilidard is * ?</P> <P>Thanks<BR /> Robert</P> Fri, 03 Nov 2017 16:15:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-value-using-wildcard-Urgent/m-p/154173#M43333 robertlynch2020 2017-11-03T16:15:08Z https://community.splunk.com/t5/Splunk-Search/How-to-join-value-using-wildcard-Urgent/m-p/154174#M43334 <P>Ditto I too could not get it to work no matter how I tried to set the "field_name_to_join" including with an eval using the same name as the inner search would find. I was so hopeful too!</P> Wed, 30 Sep 2020 01:33:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-value-using-wildcard-Urgent/m-p/154174#M43334 sirpatrick 2020-09-30T01:33:56Z