Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Self Join Statement does not work

shayhk
Explorer
‎12-17-2013 04:30 AM

Self Join Statement does not work

Host Demo

RequestID | Method | Type

111 Method_X 1

222 Method_T 1

111 Method_Q 2

233 Method_R 1

As a result

i am looking for the flow of RequestID=111

RequestID | Method1 | Method2

111 Method_X Method_Q

Search code- not working:

host=Demo

| table RequestID Method

| where RequestID =111 and Type=1

| rename Method as Method1

| selfjoin RequestID
[
table RequestID Method
| where RequestID =111 and Type=2
| rename Method as Method2
]

|table RequestID Method1 Method2

looking for a solution

Thanks
shay

0 Karma
Reply

somesoni2
Revered Legend
‎12-17-2013 06:31 AM

First, the output you're looking for is not possible with self-join. Secondly, the self join syntax you're using is incorrect. The correct syntax is as follows:

Your search | selfjoin <selfjoin optoins> <join field name(s)>

What you're looking for can done by normal join as follows

host=Demo| table RequestID Method| where  RequestID =111 and Type=1| rename Method as Method1| join RequestID [search host=demo| table RequestID Method  | where  RequestID =111 and Type=2
  | rename Method as Method2]|table RequestID Method1 Method2
Reply

shayhk
Explorer
‎12-17-2013 07:53 AM

It's working
Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of Splunk APM’s and Splunk RUM’s streaming infrastructure in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...