Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Mimicing groupby & join behavior to get group aggregates

leecaf
Explorer
‎06-11-2013 11:36 AM

Referring to table below, If it started with only Col1 and Col2. In a relational DB I would do a groupby followed by a join on 'col1' to get the derived col 'MaxOfCol1' . is there a better to do it in splunk since joins are inefficient?

+------+------+-----------+
| Col1 | Col2 | MaxOfCol1 |
+------+------+-----------+
|    1 |    1 |         3 |
|    1 |    2 |         3 |
|    1 |    3 |         3 |
|    2 |    4 |        55 |
|    2 |    2 |        55 |
|    2 |   55 |        55 |
|    3 |   12 |        12 |
|    3 |    3 |        12 |
|    3 |    1 |        12 |
+------+------+-----------+
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

brettcave
Builder
‎06-12-2013 04:01 AM

1 function: stats.

Provide some sample data for more....
Keep this open for reference: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commonstatsfunctions

View solution in original post

0 Karma
Reply
Solved! Jump to solution

leecaf
Explorer
‎06-12-2013 04:52 AM

every event has a field called Col1 and Col2 as per the table above. I want to do an 'eval' like operation which will add the 3rd field MaxOfCol1 to each event.

0 Karma
Reply
Solved! Jump to solution
Solution

brettcave
Builder
‎06-12-2013 04:01 AM

1 function: stats.

Provide some sample data for more....
Keep this open for reference: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commonstatsfunctions

0 Karma
Reply
Solved! Jump to solution

brettcave
Builder
‎06-12-2013 05:58 AM

you could use transaction command too, and then use eval with some MV functions. You can also propogate 1 field to multiple events using stats values(col2) as col2_distinct by col1 | mvexpand col2_distinct. stats + values = a distinct list. stats + list = a full list.

Reply
Solved! Jump to solution

Ayn
Legend
‎06-12-2013 05:56 AM

... | eventstats max(col2) as maxofcol1 by col1 | table col1 col2 maxofcol1

Reply
Solved! Jump to solution

leecaf
Explorer
‎06-12-2013 04:51 AM

I am aware of stats but 'stats max(col2) by col1' would return only the aggregates. I can join this with my original events but is that really the best way? or is there a cleverer more efficient way of doing this?

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎06-12-2013 03:42 AM

Out of what? Splunk doesn't have columns in that sense, to begin with.

0 Karma
Reply
Solved! Jump to solution

leecaf
Explorer
‎06-12-2013 02:43 AM

I want to produce a table with Col1, Col2, Col2-MaxOfCol1. that's the end goal.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎06-11-2013 12:41 PM

I think you need to submit sample events and what you want to do. Trying to apply SQL terms right away in Splunk often leads to confusion.

Reply
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...