Re: Joining the results of a search with a dataset

Mick26 · ‎07-14-2021

I've been trying to join the results of a search with a dataset on one line. I can get it to work with two lines, but it's hard to read and doesn't work with more than one result. I just want to combine the file_1 data with the search results. Here's what I have:

Output

First Line: field2 field3 field 4

Second Line: field1 field 5 etc

I'd like it to be on one line. field1 is common to both the search and the dataset.

Thanks in advance

richgalloway · ‎07-14-2021

That is the nature of the append command. The results of the append's subsearch are tacked on (appended) to the bottom of the main search's results. They can be combined by re-grouping the results with the stats command. That requires a field common to both result sets, however. Try this query

index=windows [| inputlookup file_1 | fields field1] 
| dedup field1 
| table field1, field2, field3, field4  
| append [| inputlookup file_1]
| stats values(*) as * by field1

---
If this reply helps you, Karma would be appreciated.

Mick26 · ‎07-15-2021

Hi richgalloway ,

Thank you for the information. The query separated the results so now, even though they are on two lines, it makes sense when looking down the page. That will work!

Thanks again

Joining the results of a search with a dataset

join

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!