Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Joining searches with multivaluate fields turn them into single valuate field

guilhem
Contributor
‎02-12-2013 05:22 AM

Hello!

I am having a problem with this query:

index=myIndex
| join FIELD1 max=0 [search index=myOtherIndex | stats values(FIELD2) as FIELD2 by FIELD1]

When I look a the result of the query, the FIELD2 is not multivaluate, it is composed of a single line with space between the values, instead of a multivalued field.

If I run the search index=myOtherIndex | stats values(FIELD2) as FIELD2 by FIELD1 (without the join), I get the correct result, which is a multivaluate FIELD2.

It seems like the join command is somewhat interfering with the properties of the fields?

Does anyone have a clue on what's going on?

Thanks!

Guilhem

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lpolo
Motivator
‎02-12-2013 06:22 AM

Try this query it might work fine for you case:

(index=myIndex) OR
(index=myOtherIndex)
| stats 
  first(_time) as _time
  values(FIELD2) as FIELD2
  dc(sourcetype) as dc by FIELD1|search dc=2

View solution in original post

Reply
Solved! Jump to solution
Solution

lpolo
Motivator
‎02-12-2013 06:22 AM

Try this query it might work fine for you case:

(index=myIndex) OR
(index=myOtherIndex)
| stats 
  first(_time) as _time
  values(FIELD2) as FIELD2
  dc(sourcetype) as dc by FIELD1|search dc=2
Reply
Solved! Jump to solution

guilhem
Contributor
‎09-02-2013 01:40 AM

I can't remember where this search is, but I am now using this solution:

index=myIndex
| join FIELD1 max=0 [search index=myOtherIndex | stats values(FIELD2) as FIELD2 by FIELD1 ]
| eval FIELD2 = split(FIELD2, " ")

because split creates a multivalued field by splitting FIELD2 using the given delimiter (here it is the space character)

It is far from efficient but it works. I am sure it is possible to update it to a more efficient version thow

Reply
Solved! Jump to solution

0waste_splunk
Communicator
‎08-21-2013 08:44 AM

@guilhem

can you post your solution? I am facing the same problem.

I really appreciate your reply

Thanks

0 Karma
Reply
Solved! Jump to solution

guilhem
Contributor
‎03-25-2013 06:30 AM

Thanks for the tip, I have finally done it in another way.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...