Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Mimicing groupby & join behavior to get group aggregates

leecaf
Explorer
‎06-11-2013 11:36 AM

Referring to table below, If it started with only Col1 and Col2. In a relational DB I would do a groupby followed by a join on 'col1' to get the derived col 'MaxOfCol1' . is there a better to do it in splunk since joins are inefficient?

+------+------+-----------+
| Col1 | Col2 | MaxOfCol1 |
+------+------+-----------+
|    1 |    1 |         3 |
|    1 |    2 |         3 |
|    1 |    3 |         3 |
|    2 |    4 |        55 |
|    2 |    2 |        55 |
|    2 |   55 |        55 |
|    3 |   12 |        12 |
|    3 |    3 |        12 |
|    3 |    1 |        12 |
+------+------+-----------+
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

brettcave
Builder
‎06-12-2013 04:01 AM

1 function: stats.

Provide some sample data for more....
Keep this open for reference: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commonstatsfunctions

View solution in original post

0 Karma
Reply
Solved! Jump to solution

leecaf
Explorer
‎06-12-2013 04:52 AM

every event has a field called Col1 and Col2 as per the table above. I want to do an 'eval' like operation which will add the 3rd field MaxOfCol1 to each event.

0 Karma
Reply
Solved! Jump to solution
Solution

brettcave
Builder
‎06-12-2013 04:01 AM

1 function: stats.

Provide some sample data for more....
Keep this open for reference: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commonstatsfunctions

0 Karma
Reply
Solved! Jump to solution

brettcave
Builder
‎06-12-2013 05:58 AM

you could use transaction command too, and then use eval with some MV functions. You can also propogate 1 field to multiple events using stats values(col2) as col2_distinct by col1 | mvexpand col2_distinct. stats + values = a distinct list. stats + list = a full list.

Reply
Solved! Jump to solution

Ayn
Legend
‎06-12-2013 05:56 AM

... | eventstats max(col2) as maxofcol1 by col1 | table col1 col2 maxofcol1

Reply
Solved! Jump to solution

leecaf
Explorer
‎06-12-2013 04:51 AM

I am aware of stats but 'stats max(col2) by col1' would return only the aggregates. I can join this with my original events but is that really the best way? or is there a cleverer more efficient way of doing this?

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎06-12-2013 03:42 AM

Out of what? Splunk doesn't have columns in that sense, to begin with.

0 Karma
Reply
Solved! Jump to solution

leecaf
Explorer
‎06-12-2013 02:43 AM

I want to produce a table with Col1, Col2, Col2-MaxOfCol1. that's the end goal.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎06-11-2013 12:41 PM

I think you need to submit sample events and what you want to do. Trying to apply SQL terms right away in Splunk often leads to confusion.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...