Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to combine data based on a common field?

anooshac
Communicator
‎06-13-2022 05:43 AM

Hi all, i have some data task name, execution date, link uploaded earlier. Now i want to add some more data related to the task name they are component name, number of components. If i upload the 2nd data in the form task name , component name, number of components will i be able to get all data together based on one common field task name. Can anyone knows is there any solution for this?

My data are task name, execution date, link and the next set of data  is task name , component name, number of components.

Labels (2)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-13-2022 05:53 AM

Yes, you can either use join or stats by task name to aggregate the values from the fields on a common take name.

0 Karma
Reply

anooshac
Communicator
‎06-13-2022 06:49 AM

I don't want to just display the data directly using stats. My raw data has alot of processing to do and using join i am joining all these processed results. Is there any solution other than this?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-13-2022 07:09 AM

Stats, just like any command, works on the events in the pipeline; you can choose where you put the stats command; you can have more than one stats command if that helps your use case.

0 Karma
Reply

anooshac
Communicator
‎06-14-2022 02:57 AM

when i use stats all the data including the data i don't want to display also shows. How to avoid these? I tried by putting table command after stats for the selected data but that doesn't work.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-14-2022 03:01 AM

The table command can be used to limit the fields/columns - the where command can be used to limit the event/rows

0 Karma
Reply

anooshac
Communicator
‎06-17-2022 04:08 AM

Okay. Thank you so much.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...