Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Trying to combine data within the same table u...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
First of all thank you for your time. I am quite new to splunk and I am struggling with this issue for some time but it seems quite more challenging than I initially expected.
I have this following sample data in tabular form:
| A | B | C | D | E | F |
| 0.1 | b1 | 0.1 | d1 | 0.1 | f1 |
| 0.11 | b2 | 0.2 | d2 | 0.35 | f2 |
| 0.2 | b3 | 0.3 | d3 | 0.9 | f3 |
| 0.22 | b4 | 1.0 | f4 | ||
0.4 | b5 | ||||
| 0.5 | b6 | ||||
| 0.55 | b7 | ||||
| 0.9 | b8 |
and I need to generate something like:
| A | B | C | D | E | F |
| 0.1 | b1 | 0.1 | d1 | 0.1 | f1 |
| 0.11 | b2 | ||||
| 0.2 | b3 | 0.2 | d2 | ||
| 0.22 | b4 | ||||
| 0.3 | 0.3 | d3 | |||
| 0.35 | 0.35 | f2 | |||
0.4 | b5 | ||||
| 0.5 | b6 | ||||
| 0.55 | b7 | ||||
| 0.9 | b8 | 0.9 | f3 | ||
| 1.0 | 1.0 | f4 |
So, first I need to merge column A with C and E sorted and then I need to make columns C and E match with column A including data in columns D and F respectively.
I guess there is an easy way to achieve this. I have tried with joins but I cannot make it work.
Any help would be much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
| makeresults format=csv data="A,B,C,D,E,F
0.1,b1,0.1,d1,0.1,f1
0.11,b2,0.2,d2,0.35,f2
0.2,b3,0.3,d3,0.9,f3
0.22,b4,,,1.0,f4
0.4,b5
0.5,b6
0.55,b7
0.9,b8"
| table A B C D E F
``` The lines above create dummy event data in line with your example (it is often helpful if you had provided this yourself) ```
| appendpipe
[| rename A as a
| rename B as b
| eval C=null()
| eval D=null()
| eval E=null()
| eval F=null()]
| fields - A B
| appendpipe
[| where isnotnull(C)
| eval A=null()
| eval B=null()
| eval a=C
| rename C as c
| rename D as d
| eval E=null()
| eval F=null()]
| fields - C D
| appendpipe
[| where isnotnull(E)
| eval A=null()
| eval B=null()
| eval C=null()
| eval D=null()
| eval a=E
| rename E as e
| rename F as f]
| fields - E F
| where isnotnull(a)
| stats values(*) as * by a
| rename a as A
| rename b as B
| rename c as C
| rename d as D
| rename e as E
| rename f as F- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like your sample data has been created with a couple of appendcols. If this is the case, perhaps it would be easier to go back a step and try and create your desired output from the original searches?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ITWhisperer ,
Actually I created the data by hand to kind of simplify the actual situation. Data is unfortunately sensitive and I cannot show too much. I did not use any appendcol for the actual data but eval with if conditions. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
| makeresults format=csv data="A,B,C,D,E,F
0.1,b1,0.1,d1,0.1,f1
0.11,b2,0.2,d2,0.35,f2
0.2,b3,0.3,d3,0.9,f3
0.22,b4,,,1.0,f4
0.4,b5
0.5,b6
0.55,b7
0.9,b8"
| table A B C D E F
``` The lines above create dummy event data in line with your example (it is often helpful if you had provided this yourself) ```
| appendpipe
[| rename A as a
| rename B as b
| eval C=null()
| eval D=null()
| eval E=null()
| eval F=null()]
| fields - A B
| appendpipe
[| where isnotnull(C)
| eval A=null()
| eval B=null()
| eval a=C
| rename C as c
| rename D as d
| eval E=null()
| eval F=null()]
| fields - C D
| appendpipe
[| where isnotnull(E)
| eval A=null()
| eval B=null()
| eval C=null()
| eval D=null()
| eval a=E
| rename E as e
| rename F as f]
| fields - E F
| where isnotnull(a)
| stats values(*) as * by a
| rename a as A
| rename b as B
| rename c as C
| rename d as D
| rename e as E
| rename f as F- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot @ITWhisperer . Works like a charm.
Sorry I am pretty newbie in splunk and did not even know the existence of command makeresults 😅
One short question, could this be do more flexible? I mean, if columns are named like
A1 B1 A2 B2 A3 B3 instead of A B C D E F
is there a way to make this in a "loop"? I tried foreach, but appendpipe cannot be used within a foreach statement.
Thanks a lot for your time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you can use different column names
No, I don't think this method can be done in a loop, however, there may be other ways to solve this which might be applied in a loop, but it may depend on the column names and the relationship between the pairs of column names, e.g. A and A1, B and B1, etc.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
