BElow query shows expected statistics table in Splunk 8.2, but shows only events in Splunk 6.2.
YOUR_SEARCH | fields A_real.S*.A* | rename A_real.* as * |eval dummy=null() | foreach S* [ eval dummy= if(isnull(dummy),"<<FIELD>>".":".'<<FIELD>>',dummy."|"."<<FIELD>>".":".'<<FIELD>>') ] | eval dummy=split(dummy,"|") | stats count by dummy | fields - count | eval f1= mvindex(split(dummy,"."),0),I1= mvindex(split(dummy,"."),1), Id=mvindex(split(I1,":"),0),{f1}=mvindex(split(I1,":"),1) | fields - dummy I1 f1 | stats values(*) as * by Id | lookup YOUR_LOOKUP Id | where isnotnull(Timestamp) | fields - Timestamp
Please check.
@ruhibansal foreach command is introduced with Splunk 6.3 version.. That's Y it's not working with 6.2
https://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Foreach
KV
for 6.3 as well, I am getting events and not statistics as shown in attached .png.
Query has no error, only stats are 0.
Thanks for your efforts.
Even splunk support could not find solution and I had to upgrade version to resolve issue.
Regards
Ruhi
The query mentioned gives the result of inner join on two files.
Can you help to apply outer join in the query?
Regards
Ruhi