Splunk Search

Combine two tables into one wrt two common parameter(where blank values should be filled with zero "0")

Hi ,
I have two input csv's which are displayed in splunk as shown in below image:

alt text

I want to search in second csv with respect to first CSV's param1 and param2.

i.e. To display a final table where, first csv output is as it is, only second csv's "second value" column is added with matching param1 and param2 value between both CSV. And for those , where there is no match should be filled with zero, "0".

I know its difficult to understand, hence putting the image for reference:

alt text

I tried the join command, but if those param1 and param2 fields from first CSV are not available in second CSV, that result is not displayed, which is not desirable.

Kindly help me to get the output as per the above image.

Tags (4)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

You could do this:

search for first CSV | join type=left param1 param2 [search for second CSV] | fillnull value2

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

You could do this:

search for first CSV | join type=left param1 param2 [search for second CSV] | fillnull value2

View solution in original post

0 Karma

Thanks martin_mueller

0 Karma