Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Joining the results of a search with a dataset

Mick26
Engager
‎07-14-2021 01:37 PM

I've been trying to join the results of a search with a dataset on one line. I can get it to work with two lines, but it's hard to read and doesn't work with more than one result. I just want to combine the file_1 data with the search results. Here's what I have:

index=windows [| inputlookup file_1 | fields field1] | dedup field1 | table field2, field3, field4  | append [| inputlookup file_1]

Output

First Line: field2    field3   field 4

 Second Line:                                              field1 field 5 etc

 

I'd like it to be on one line. field1 is common to both the search and the dataset. 

 

Thanks in advance

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-14-2021 01:48 PM

That is the nature of the append command.  The results of the append's subsearch are tacked on (appended) to the bottom of the main search's results.  They can be combined by re-grouping the results with the stats command.  That requires a field common to both result sets, however.  Try this query

index=windows [| inputlookup file_1 | fields field1] 
| dedup field1 
| table field1, field2, field3, field4  
| append [| inputlookup file_1]
| stats values(*) as * by field1
---
If this reply helps you, Karma would be appreciated.
Reply

Mick26
Engager
‎07-15-2021 08:44 AM

Hi  ,

Thank you for the information. The query separated the results so now, even though they are on two lines, it makes sense when looking down the page. That will work!

Thanks again  

0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...