Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Joining searches with multivaluate fields turn them into single valuate field

guilhem
Contributor
‎02-12-2013 05:22 AM

Hello!

I am having a problem with this query:

index=myIndex
| join FIELD1 max=0 [search index=myOtherIndex | stats values(FIELD2) as FIELD2 by FIELD1]

When I look a the result of the query, the FIELD2 is not multivaluate, it is composed of a single line with space between the values, instead of a multivalued field.

If I run the search index=myOtherIndex | stats values(FIELD2) as FIELD2 by FIELD1 (without the join), I get the correct result, which is a multivaluate FIELD2.

It seems like the join command is somewhat interfering with the properties of the fields?

Does anyone have a clue on what's going on?

Thanks!

Guilhem

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lpolo
Motivator
‎02-12-2013 06:22 AM

Try this query it might work fine for you case:

(index=myIndex) OR
(index=myOtherIndex)
| stats 
  first(_time) as _time
  values(FIELD2) as FIELD2
  dc(sourcetype) as dc by FIELD1|search dc=2

View solution in original post

Reply
Solved! Jump to solution
Solution

lpolo
Motivator
‎02-12-2013 06:22 AM

Try this query it might work fine for you case:

(index=myIndex) OR
(index=myOtherIndex)
| stats 
  first(_time) as _time
  values(FIELD2) as FIELD2
  dc(sourcetype) as dc by FIELD1|search dc=2
Reply
Solved! Jump to solution

guilhem
Contributor
‎09-02-2013 01:40 AM

I can't remember where this search is, but I am now using this solution:

index=myIndex
| join FIELD1 max=0 [search index=myOtherIndex | stats values(FIELD2) as FIELD2 by FIELD1 ]
| eval FIELD2 = split(FIELD2, " ")

because split creates a multivalued field by splitting FIELD2 using the given delimiter (here it is the space character)

It is far from efficient but it works. I am sure it is possible to update it to a more efficient version thow

Reply
Solved! Jump to solution

0waste_splunk
Communicator
‎08-21-2013 08:44 AM

@guilhem

can you post your solution? I am facing the same problem.

I really appreciate your reply

Thanks

0 Karma
Reply
Solved! Jump to solution

guilhem
Contributor
‎03-25-2013 06:30 AM

Thanks for the tip, I have finally done it in another way.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...