Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to join 2 searches and control table output to remove rows with null field values?

edookati
Path Finder
‎07-28-2014 11:28 AM

I am using the below query to join 2 searches, but the table is showing me duplicate rows with only common_fields and null values in one_field one_field_tow one_field_three columns for these rows. Please let me know how to control the table output and remove all rows with one_field* null values.

sourcetype=one
| fields one_field one_field_two one_field_three common_field
| join common_field [ search sourcetype=two | fields common_field two_field_one, two_field_two ]
| table one_field one_field_two one_field_three two_field_one two_field_two common_field

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-28-2014 11:37 AM

Try this

sourcetype=one one_field=* one_field_two=* one_field_three=* common_field=*| fields one_field one_field_two one_field_three common_field | join common_field [ search sourcetype=two | fields common_field two_field_one, two_field_two ] | table one_field one_field_two one_field_three two_field_one two_field_two common_field

If there are still duplicates, try this

sourcetype=one one_field=* one_field_two=* one_field_three=* common_field=*| stats count by one_field one_field_two one_field_three common_field | fields - count| join common_field [ search sourcetype=two | stats count by common_field two_field_one, two_field_two | fields - count] | table one_field one_field_two one_field_three two_field_one two_field_two common_field

View solution in original post

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-28-2014 12:16 PM

Alternatively, try stats:

  sourcetype=one OR sourcetype=two
| stats values(1f1) as 1f1 values(1f2) as 1f2
        values(2f1) as 2f1 values(2f2) as 2f2 by common_field
Reply
Solved! Jump to solution

lguinn2
Legend
‎07-28-2014 08:38 PM

And BTW, @martin_mueller's technique will be MUCH faster...

Reply
Solved! Jump to solution

lguinn2
Legend
‎07-28-2014 08:37 PM

Or, even easier

sourcetype=one OR sourcetype=two
| stats values(*) as * by common_field

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-28-2014 11:37 AM

Try this

sourcetype=one one_field=* one_field_two=* one_field_three=* common_field=*| fields one_field one_field_two one_field_three common_field | join common_field [ search sourcetype=two | fields common_field two_field_one, two_field_two ] | table one_field one_field_two one_field_three two_field_one two_field_two common_field

If there are still duplicates, try this

sourcetype=one one_field=* one_field_two=* one_field_three=* common_field=*| stats count by one_field one_field_two one_field_three common_field | fields - count| join common_field [ search sourcetype=two | stats count by common_field two_field_one, two_field_two | fields - count] | table one_field one_field_two one_field_three two_field_one two_field_two common_field
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...