Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

JOIN on some of the columns

michael_vi
Path Finder
‎01-06-2022 03:30 AM

I have a table (that is a spitted URL) in the following format:

 

field1field2field3field4field5field6
aaaaa11111qqqqqaaaaaattttttyyyyyy
aaaaa11111ccccccrrrrrrr  
bbbbb22222rrrrrrrrriiiiiiiiiiivvvvvv 
ccccc22222wwwwwttttttttt  
ddddd333334444445555555  

 

Ans the other table has only some of the columns:

field1field2field3field4NameDescription
ccccc22222  MickeyMouse
aaaaa11111  PinkyBrain
ddddd33333444444 ZZTop

 

I need that the rows in the second table with be marched to first one, when the values of the second table have only a "base" values. This is what I expect to get:

field1field2field3field4field5field6NameDescription
aaaaa11111qqqqqaaaaaattttttyyyyyyPinkyBrain
aaaaa11111ccccccrrrrrrr  PinkyBrain
aaaaa11111qqqqqaaaaaattttttyyyyyyPinkyBrain
aaaaa11111ccccccrrrrrrr  PinkyBrain
bbbbb22222rrrrrrrrriiiiiiiiiiivvvvvv ZZTop
ccccc22222wwwwwttttttttt  MickeyMouse
ddddd333334444445555555  ZZTop

 

| join type=left field1 field2... []

It make sense that when I do a left join it looks for a corresponding values in all fields, and if it's not there... I have no results

How can I solve it?
Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-06-2022 04:10 AM

It is not clear how you get your expected results.

Why are the first two lines repeated?

Why is bbbbb ZZ Top?

0 Karma
Reply

michael_vi
Path Finder
‎01-08-2022 10:49 PM

@ITWhisperer 

They are repeated, since it answers the JOIN condition.

aaaaa11111

 

Can be applied to:

field1field2field3field4field5field6
aaaaa11111qqqqqaaaaaattttttyyyyyy
aaaaa11111ccccccrrrrrrr  

 

The only way, I see that it can be done, is by each time to make a another join... something like:

| join type=left max=0 field1 [...]
| join type=left max=0 field1 field2 [...]
| join type=left max=0 field1 field2 field3 [...]

I was looking for more elegant solution

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-09-2022 01:59 AM

This still doesn't explain why bbbbb "joins" with ZZ Top?

0 Karma
Reply

michael_vi
Path Finder
‎01-09-2022 10:27 AM

@ITWhisperer 

You're right. My mistake. Should be NULL

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-09-2022 12:36 PM

 

search 1
| append [ search 2 ]
| stats values(*) as * by field1 field2
| mvexpand field3
| mvexpand field4

 

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...