Solved: Splunk Query with complex join and groupBy

ma_anand1984 · ‎09-10-2012

Events type

name, subtype, type, sal

EVENT sample

jack,male,human, 1000

rose,female,human,1500

I want to get the below output. Can someone help?

               Name    Salary
Human(male)    Jack     1000
Human(female)  Rose      1500

kristian_kolb · ‎09-10-2012

Assuming that the CSV fields are known to Splunk in the manner you state;

...| eval full_type = type . "(" . subtype . ")" | table full_type, name, sal

As you can see, this is a quite simple operation (just doing some string manipulation, and then tabulating it). Like jonuwz and Ayn says, please provide more complex data, if this solution is not good enough.

Hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎09-10-2012

Assuming that the CSV fields are known to Splunk in the manner you state;

...| eval full_type = type . "(" . subtype . ")" | table full_type, name, sal

As you can see, this is a quite simple operation (just doing some string manipulation, and then tabulating it). Like jonuwz and Ayn says, please provide more complex data, if this solution is not good enough.

Hope this helps,

Kristian

Ayn · ‎09-10-2012

Please show us what the desired output would be in that more complex scenario.

ma_anand1984 · ‎09-10-2012

my event is CSV and i want output in a table. Yes please assume that there are more events with multiple types and sub types

jonuwz · ‎09-10-2012

The sample output you require is just reformatting the event data you already have - there's no joins or group by.

Perhaps you could give a sample output when there is more than one of human(male) and/or more than one of human(female)

Splunk Query with complex join and groupBy

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!