Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Mimicing groupby & join behavior to get group aggregates

leecaf
Explorer
‎06-11-2013 11:36 AM

Referring to table below, If it started with only Col1 and Col2. In a relational DB I would do a groupby followed by a join on 'col1' to get the derived col 'MaxOfCol1' . is there a better to do it in splunk since joins are inefficient?

+------+------+-----------+
| Col1 | Col2 | MaxOfCol1 |
+------+------+-----------+
|    1 |    1 |         3 |
|    1 |    2 |         3 |
|    1 |    3 |         3 |
|    2 |    4 |        55 |
|    2 |    2 |        55 |
|    2 |   55 |        55 |
|    3 |   12 |        12 |
|    3 |    3 |        12 |
|    3 |    1 |        12 |
+------+------+-----------+
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

brettcave
Builder
‎06-12-2013 04:01 AM

1 function: stats.

Provide some sample data for more....
Keep this open for reference: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commonstatsfunctions

View solution in original post

0 Karma
Reply
Solved! Jump to solution

leecaf
Explorer
‎06-12-2013 04:52 AM

every event has a field called Col1 and Col2 as per the table above. I want to do an 'eval' like operation which will add the 3rd field MaxOfCol1 to each event.

0 Karma
Reply
Solved! Jump to solution
Solution

brettcave
Builder
‎06-12-2013 04:01 AM

1 function: stats.

Provide some sample data for more....
Keep this open for reference: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commonstatsfunctions

0 Karma
Reply
Solved! Jump to solution

brettcave
Builder
‎06-12-2013 05:58 AM

you could use transaction command too, and then use eval with some MV functions. You can also propogate 1 field to multiple events using stats values(col2) as col2_distinct by col1 | mvexpand col2_distinct. stats + values = a distinct list. stats + list = a full list.

Reply
Solved! Jump to solution

Ayn
Legend
‎06-12-2013 05:56 AM

... | eventstats max(col2) as maxofcol1 by col1 | table col1 col2 maxofcol1

Reply
Solved! Jump to solution

leecaf
Explorer
‎06-12-2013 04:51 AM

I am aware of stats but 'stats max(col2) by col1' would return only the aggregates. I can join this with my original events but is that really the best way? or is there a cleverer more efficient way of doing this?

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎06-12-2013 03:42 AM

Out of what? Splunk doesn't have columns in that sense, to begin with.

0 Karma
Reply
Solved! Jump to solution

leecaf
Explorer
‎06-12-2013 02:43 AM

I want to produce a table with Col1, Col2, Col2-MaxOfCol1. that's the end goal.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎06-11-2013 12:41 PM

I think you need to submit sample events and what you want to do. Trying to apply SQL terms right away in Splunk often leads to confusion.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...