Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Joining searches with multivaluate fields turn them into single valuate field

guilhem
Contributor
‎02-12-2013 05:22 AM

Hello!

I am having a problem with this query:

index=myIndex
| join FIELD1 max=0 [search index=myOtherIndex | stats values(FIELD2) as FIELD2 by FIELD1]

When I look a the result of the query, the FIELD2 is not multivaluate, it is composed of a single line with space between the values, instead of a multivalued field.

If I run the search index=myOtherIndex | stats values(FIELD2) as FIELD2 by FIELD1 (without the join), I get the correct result, which is a multivaluate FIELD2.

It seems like the join command is somewhat interfering with the properties of the fields?

Does anyone have a clue on what's going on?

Thanks!

Guilhem

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lpolo
Motivator
‎02-12-2013 06:22 AM

Try this query it might work fine for you case:

(index=myIndex) OR
(index=myOtherIndex)
| stats 
  first(_time) as _time
  values(FIELD2) as FIELD2
  dc(sourcetype) as dc by FIELD1|search dc=2

View solution in original post

Reply
Solved! Jump to solution
Solution

lpolo
Motivator
‎02-12-2013 06:22 AM

Try this query it might work fine for you case:

(index=myIndex) OR
(index=myOtherIndex)
| stats 
  first(_time) as _time
  values(FIELD2) as FIELD2
  dc(sourcetype) as dc by FIELD1|search dc=2
Reply
Solved! Jump to solution

guilhem
Contributor
‎09-02-2013 01:40 AM

I can't remember where this search is, but I am now using this solution:

index=myIndex
| join FIELD1 max=0 [search index=myOtherIndex | stats values(FIELD2) as FIELD2 by FIELD1 ]
| eval FIELD2 = split(FIELD2, " ")

because split creates a multivalued field by splitting FIELD2 using the given delimiter (here it is the space character)

It is far from efficient but it works. I am sure it is possible to update it to a more efficient version thow

Reply
Solved! Jump to solution

0waste_splunk
Communicator
‎08-21-2013 08:44 AM

@guilhem

can you post your solution? I am facing the same problem.

I really appreciate your reply

Thanks

0 Karma
Reply
Solved! Jump to solution

guilhem
Contributor
‎03-25-2013 06:30 AM

Thanks for the tip, I have finally done it in another way.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...