Hello there,
I have 2 indexes [customer_id, datetime] and [customer_id, date_of_creation, motive] with a common field "customer_id". I would like to perform a join of my indexes on this fields knowing that the values in each indexe can be non unique.
As I don't want to use the function Join of Splunk because of its limits, I use Eventstats instead. But the problem is that for the non unique values, I get multivalue fields concerning datetime, date_of_creation and motive.
How could I proceed to get the same result as a join would do (without using Join !) ?
Thanks in advance ! 😄
@kcollori - Can you explain how this differs from (or adds requirements to) your use case in this question? https://answers.splunk.com/answers/578302/how-to-join-2-indexes-by-common-field-respective-t.html#an...
When trying to connect something that is non-unique, you have to create uniqueness by a time limit or some other unique characteristic. That generally is going to require streamstats
rather than eventstats
.
You...
sort 0
so you don't lose any),streamstats
,eventstats
is useful right here to collect remaining information together ... Have you tried stats
?
index=index1 OR index=index2 customer_id=* | stats values(datetime) as datetime values(date_of_creation) as date_of_creation values(motive) as motive by customer_id | ...
Yes I tried but it still gives me multivalue fields 😕