Splunk Search

Self Join Statement does not work

Explorer

Self Join Statement does not work

Host Demo

RequestID | Method | Type

111 Method_X 1

222 Method_T 1

111 Method_Q 2

233 Method_R 1

As a result

i am looking for the flow of RequestID=111

RequestID | Method1 | Method2

111 Method_X Method_Q

Search code- not working:

host=Demo

| table RequestID Method

| where RequestID =111 and Type=1

| rename Method as Method1

| selfjoin RequestID
[
table RequestID Method
| where RequestID =111 and Type=2
| rename Method as Method2
]

|table RequestID Method1 Method2

looking for a solution

Thanks
shay

0 Karma

Revered Legend

First, the output you're looking for is not possible with self-join. Secondly, the self join syntax you're using is incorrect. The correct syntax is as follows:

Your search | selfjoin <selfjoin optoins> <join field name(s)>

What you're looking for can done by normal join as follows

host=Demo| table RequestID Method| where  RequestID =111 and Type=1| rename Method as Method1| join RequestID [search host=demo| table RequestID Method  | where  RequestID =111 and Type=2
  | rename Method as Method2]|table RequestID Method1 Method2 

Explorer

It's working
Thanks

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!