Splunk Search

Joining the results of a search with a dataset

Mick26
Engager

I've been trying to join the results of a search with a dataset on one line. I can get it to work with two lines, but it's hard to read and doesn't work with more than one result. I just want to combine the file_1 data with the search results. Here's what I have:

index=windows [| inputlookup file_1 | fields field1] | dedup field1 | table field2, field3, field4  | append [| inputlookup file_1]

Output

First Line: field2    field3   field 4

 Second Line:                                              field1 field 5 etc

 

I'd like it to be on one line. field1 is common to both the search and the dataset. 

 

Thanks in advance

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

That is the nature of the append command.  The results of the append's subsearch are tacked on (appended) to the bottom of the main search's results.  They can be combined by re-grouping the results with the stats command.  That requires a field common to both result sets, however.  Try this query

index=windows [| inputlookup file_1 | fields field1] 
| dedup field1 
| table field1, field2, field3, field4  
| append [| inputlookup file_1]
| stats values(*) as * by field1
---
If this reply helps you, an upvote would be appreciated.

Mick26
Engager

Hi  ,

Thank you for the information. The query separated the results so now, even though they are on two lines, it makes sense when looking down the page. That will work!

Thanks again  

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!