Solved: Using join statement with count and dedup

cpeteman · ‎06-17-2013

I have the current statement using append:

search_term1 | stats count by ip_address | table ip_address count | append [search search_term1 | dedup ip_address | table ipaddress _raw]

which makes a table rows:

ip_address---------- count ------------ _raw

123.456.1.1 -------- 520 ------------------

123.456.1.1 ----------------------------- raw data

I would like to combine my data into single lines:

ip_address---------- count ------------ _raw

123.456.1.1 -------- 520 -------------- raw data

It seems that I should use the join statement but when I do the raw data refuses to display at all. Please help! Thanks!

cpeteman · ‎06-17-2013

I was able to solve this by using selfjoin statement:

search_term1 | stats count by ip_address | rename ip_address as sip_address | rename count as scount | table sip_address,scount | append [ search search_term1 | dedup ip_address | rename ip_address as sip_address | table sip_address,_raw ] | selfjoin sip_address

View solution in original post

cpeteman · ‎07-01-2013

I've had to do a fair bit more on this stuff since I asked so I may have a shot at helping

cpeteman · ‎07-01-2013

If anyone need help with a problem similar to this feel free to comment.

cpeteman · ‎06-17-2013

I was able to solve this by using selfjoin statement:

search_term1 | stats count by ip_address | rename ip_address as sip_address | rename count as scount | table sip_address,scount | append [ search search_term1 | dedup ip_address | rename ip_address as sip_address | table sip_address,_raw ] | selfjoin sip_address

cpeteman · ‎06-28-2013

Although I would still like to know why it is that count must be renamed.

Using join statement with count and dedup

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...