Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to join value using wildcard? (Urgent)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to calculate the sum of count value in a tree form of data
Count table:
http://i60.tinypic.com/2qs1bmf.png
In count table,
0.0 is child of 0,
0.0.1 is child of 0.0,
0.0.1.1 is child of 0.0.1,
0.0.2 is child of 0.0,
0.0.1.2 is child of 0.0.1,
0.0.2.1 is child of 0.0.2,
0.0.2.2 is child of 0.0.2
Total count of the node = "sum of all offspring's count"+ self count
Expected result:
http://i58.tinypic.com/vfy3oi.png
I think that I may build up the [Relationship] table first.
Like this: http://i57.tinypic.com/dd83o.png
In SQL, I can write:
SELECT child.id SEQUENCE_ID,parent.id ELDER_GENERATION_SEQUENCE_ID FROM [count_table] child
INNER JOIN [count_table] parent on (child.id like parent.id + '%')
But how about in Splunk??
After having this table, I will group by the second column of [Relationship] table and sum them up.
What is the query to do this?
Thank you!!!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this workaround (runanywhere sample with your example data)
|gentimes start=-1 |eval temp="0:1#0.0:0#0.0.1:0#0.0.1.1:1#0.0.2:0#0.0.1.2:1#0.0.2.1:1#0.0.2.2:1" |table temp | makemv delim="#" temp | mvexpand temp | rex field=temp "(?<id>.*):(?<count>.*)" |fields - temp
| eval sno=mvcount(split(id,".")) | eval t=mvrange(1,sno+1) | mvexpand t |eval tid=substr(id,1,2*t -1)|stats sum(count) as count by tid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it's too late. But this might help someone looking for same now.
For using wildcard, you can do something like this:
| join type="join_type" wildcard("field_name_to_join" ) [inner search here]
Hope this will help you all.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I tried this and cant get it to work, am i assuming the wilidard is * ?
Thanks
Robert
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ditto I too could not get it to work no matter how I tried to set the "field_name_to_join" including with an eval using the same name as the inner search would find. I was so hopeful too!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this workaround (runanywhere sample with your example data)
|gentimes start=-1 |eval temp="0:1#0.0:0#0.0.1:0#0.0.1.1:1#0.0.2:0#0.0.1.2:1#0.0.2.1:1#0.0.2.2:1" |table temp | makemv delim="#" temp | mvexpand temp | rex field=temp "(?<id>.*):(?<count>.*)" |fields - temp
| eval sno=mvcount(split(id,".")) | eval t=mvrange(1,sno+1) | mvexpand t |eval tid=substr(id,1,2*t -1)|stats sum(count) as count by tid
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
