Solved: Join two field with similar values and stats by an...

icosine · ‎08-06-2020

How do I combine a field with similar value (where one value might or might not exist in one of the field) and use stats by with an uncommon field? I have the search below

| tstats prestats=t summariesonly=t allow_old_summaries=t count from datamodel=Network_Resolution.DNS by "DNS.query"
| rename DNS.query as query1
| tstats append=t prestats=t summariesonly=t allow_old_summaries=t count from datamodel=Web.Web by _time Web.dest Web.category
| rename Web.dest as query2
| rename Web.category as category
| eval query=coalesce(query1,query2)
| stats count by query category
| fillnull value=NULL

Web.dest	Web.category	DNS.query
abc.com	News	abc.com
		dfe.com

Results:

query	category
abc.com	news

Expected Results:

query	category
abc.com	news
dfe.com	NULL

to4kawa · ‎08-06-2020

...

| fillnull value=NULL
| stats count by query category

The order is important.

View solution in original post

to4kawa · ‎08-06-2020

...

| fillnull value=NULL
| stats count by query category

The order is important.

icosine · ‎08-06-2020

Omg thanks!

Join two field with similar values and stats by an uncommon field

fields

join

other

tstats

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...