Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Mimicing groupby & join behavior to get group aggregates

leecaf
Explorer
‎06-11-2013 11:36 AM

Referring to table below, If it started with only Col1 and Col2. In a relational DB I would do a groupby followed by a join on 'col1' to get the derived col 'MaxOfCol1' . is there a better to do it in splunk since joins are inefficient?

+------+------+-----------+
| Col1 | Col2 | MaxOfCol1 |
+------+------+-----------+
|    1 |    1 |         3 |
|    1 |    2 |         3 |
|    1 |    3 |         3 |
|    2 |    4 |        55 |
|    2 |    2 |        55 |
|    2 |   55 |        55 |
|    3 |   12 |        12 |
|    3 |    3 |        12 |
|    3 |    1 |        12 |
+------+------+-----------+
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

brettcave
Builder
‎06-12-2013 04:01 AM

1 function: stats.

Provide some sample data for more....
Keep this open for reference: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commonstatsfunctions

View solution in original post

0 Karma
Reply
Solved! Jump to solution

leecaf
Explorer
‎06-12-2013 04:52 AM

every event has a field called Col1 and Col2 as per the table above. I want to do an 'eval' like operation which will add the 3rd field MaxOfCol1 to each event.

0 Karma
Reply
Solved! Jump to solution
Solution

brettcave
Builder
‎06-12-2013 04:01 AM

1 function: stats.

Provide some sample data for more....
Keep this open for reference: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commonstatsfunctions

0 Karma
Reply
Solved! Jump to solution

brettcave
Builder
‎06-12-2013 05:58 AM

you could use transaction command too, and then use eval with some MV functions. You can also propogate 1 field to multiple events using stats values(col2) as col2_distinct by col1 | mvexpand col2_distinct. stats + values = a distinct list. stats + list = a full list.

Reply
Solved! Jump to solution

Ayn
Legend
‎06-12-2013 05:56 AM

... | eventstats max(col2) as maxofcol1 by col1 | table col1 col2 maxofcol1

Reply
Solved! Jump to solution

leecaf
Explorer
‎06-12-2013 04:51 AM

I am aware of stats but 'stats max(col2) by col1' would return only the aggregates. I can join this with my original events but is that really the best way? or is there a cleverer more efficient way of doing this?

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎06-12-2013 03:42 AM

Out of what? Splunk doesn't have columns in that sense, to begin with.

0 Karma
Reply
Solved! Jump to solution

leecaf
Explorer
‎06-12-2013 02:43 AM

I want to produce a table with Col1, Col2, Col2-MaxOfCol1. that's the end goal.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎06-11-2013 12:41 PM

I think you need to submit sample events and what you want to do. Trying to apply SQL terms right away in Splunk often leads to confusion.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...