Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I append different fields from a subsearch?

russell120
Communicator
‎02-13-2019 08:20 AM

Hello,

I'm trying to search within another sourcetype and append fields oxygen, and rock to a CSV base search. I'm attempting to match them by id with this search: 

|inputlookup environmentSample.csv |append [search sourcetype="environmentData" |fields oxygen rock id]
|table nitrogen bacteria id oxygen rock

environmentSample.csv:

nitrogen     bacteria    id
   5      c. perfringens 111
   7      B. cereus      222

sourcetype=environmentData:

oxygen    rock    id
  3      pyrite   111
 2.6    basalt    222

What query do I need to see this result -- where the results appear in the SAME ROW based on id?:

nitrogen     bacteria    id    oxygen    rock  
   5      c. perfringens 111     3      pyrite   
   7      B. cereus      222    2.6     basalt
0 Karma
Reply

cvssravan
Path Finder
‎02-13-2019 12:20 PM

Try this:

|inputlookup environmentSample.csv |join id [search sourcetype="environmentData" |fields oxygen rock id]

0 Karma
Reply

russell120
Communicator
‎02-13-2019 12:24 PM

I prefer to stay away from |join since it's an expensive command. In my real query so I have 3 subsearches; using |join would require me to use 3 |join commands, which would take a long time.

0 Karma
Reply

cvssravan
Path Finder
‎02-13-2019 12:57 PM

If you want the output in your requested format, I think you should use join to link the data. Will watch for any alternative answers.

0 Karma
Reply

vnravikumar
Champion
‎02-13-2019 08:25 AM

Hi @russell120

Try

your query...| selfjoin  id
0 Karma
Reply

vnravikumar
Champion
‎02-13-2019 11:07 AM

Try with

|inputlookup environmentSample.csv |append [search sourcetype="environmentData" |fields oxygen rock id] |selfjoin id |table nitrogen bacteria id oxygen rock
0 Karma
Reply

russell120
Communicator
‎02-13-2019 11:30 AM

This didn't work unfortunately. I think it may be because id in my sourcetype data has the id number as a multivalue for some reason, where it looks like:

id
111
111

222
222

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎02-13-2019 08:25 AM

@russell120
Can you please try this?

|inputlookup environmentSample.csv |append [search sourcetype="environmentData" |fields oxygen rock id] |stats  values(nitrogen) as nitrogen values(bacteria) as bacteria values(oxygen) as oxygen values(rock) as rock by id
0 Karma
Reply

russell120
Communicator
‎02-13-2019 10:53 AM

Would by id work if the CSV had 

id
111
222

and the sourcetype=environmentData had the below as multivalues?

id
111
111

222
222
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...