BElow query shows expected statistics table in Splunk 8.2, but shows only events in Splunk 6.2.
YOUR_SEARCH | fields A_real.S*.A* | rename A_real.* as * |eval dummy=null() | foreach S* [ eval dummy= if(isnull(dummy),"<<FIELD>>".":".'<<FIELD>>',dummy."|"."<<FIELD>>".":".'<<FIELD>>') ] | eval dummy=split(dummy,"|") | stats count by dummy | fields - count | eval f1= mvindex(split(dummy,"."),0),I1= mvindex(split(dummy,"."),1), Id=mvindex(split(I1,":"),0),{f1}=mvindex(split(I1,":"),1) | fields - dummy I1 f1 | stats values(*) as * by Id | lookup YOUR_LOOKUP Id | where isnotnull(Timestamp) | fields - Timestamp
Please check.
@ruhibansal foreach command is introduced with Splunk 6.3 version.. That's Y it's not working with 6.2
for 6.3 as well, I am getting events and not statistics as shown in attached .png.
Query has no error, only stats are 0.
Thanks for your efforts.
Even splunk support could not find solution and I had to upgrade version to resolve issue.
The query mentioned gives the result of inner join on two files.
Can you help to apply outer join in the query?