Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to join the two tables?

youngrap
Explorer
‎08-03-2020 05:51 PM

I have 2 tables
I'd like to join the tables.

for example : 

A table

str1
str2
str3


B table

str4val1oval1
str5val2oval2
str6val3oval3


result : A + B table

str1str4val1oval1
str1str5val2oval2
str1str6val3oval3
str2str4val1oval1
str2str5val2oval2
str2str6val3oval3
str3str4val1oval1
str3str5val2oval2
str3str6val3oval3


thank you.

Labels (2)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-03-2020 08:21 PM

Assuming f1.csv contains the values of table A with field name f1 and tableb.csv contains the values of table b with field names C1, C2 and C3 the following does what you want

| inputlookup f1.csv
| append
[ 
| inputlookup tableb.csv
| eval B=C1.",".C2.",".C3
| table B
]
| eventstats values(B) as B
| where !isnull(f1)
| mvexpand B
| rex field=B "(?<C1>[^,]*),(?<C2>[^,]*),(?<C3>.*)"
| table f1, C1, C2, C3

Hope this helps

View solution in original post

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎08-04-2020 05:32 AM

Are you going to talk about Splunk? where is the field name? 

sample:

| makeresults
| eval Atable=split("str1,str2,str3",",")
| mvexpand Atable
| append [|makeresults| eval _raw="str,val,oval
str4,val1,oval1
str5,val2,oval2
str6,val3,oval3"
| multikv forceheader=1 ]
| eventstats list(Atable) as Atable
| mvexpand Atable
| where !isnull(linecount)
| table Atable str val oval

 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-03-2020 08:21 PM

Assuming f1.csv contains the values of table A with field name f1 and tableb.csv contains the values of table b with field names C1, C2 and C3 the following does what you want

| inputlookup f1.csv
| append
[ 
| inputlookup tableb.csv
| eval B=C1.",".C2.",".C3
| table B
]
| eventstats values(B) as B
| where !isnull(f1)
| mvexpand B
| rex field=B "(?<C1>[^,]*),(?<C2>[^,]*),(?<C3>.*)"
| table f1, C1, C2, C3

Hope this helps

0 Karma
Reply
Solved! Jump to solution

youngrap
Explorer
‎08-04-2020 06:22 AM

Thank you, I solved it:)

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...