Solved: Re: Join two field with similar values and stats b...

icosine · ‎08-06-2020

How do I combine a field with similar value (where one value might or might not exist in one of the field) and use stats by with an uncommon field? I have the search below

| tstats prestats=t summariesonly=t allow_old_summaries=t count from datamodel=Network_Resolution.DNS by "DNS.query"
| rename DNS.query as query1
| tstats append=t prestats=t summariesonly=t allow_old_summaries=t count from datamodel=Web.Web by _time Web.dest Web.category
| rename Web.dest as query2
| rename Web.category as category
| eval query=coalesce(query1,query2)
| stats count by query category
| fillnull value=NULL

Web.dest	Web.category	DNS.query
abc.com	News	abc.com
		dfe.com

Results:

query	category
abc.com	news

Expected Results:

query	category
abc.com	news
dfe.com	NULL

to4kawa · ‎08-06-2020

...

| fillnull value=NULL
| stats count by query category

The order is important.

View solution in original post

to4kawa · ‎08-06-2020

...

| fillnull value=NULL
| stats count by query category

The order is important.

icosine · ‎08-06-2020

Omg thanks!

Join two field with similar values and stats by an uncommon field

fields

join

other

tstats

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor