Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

join only with the first row

rafadvega
Path Finder
‎11-10-2021 09:46 AM

Hi,

I need to join two searchs. For example:

Example 1:

 

| inputlookup join_example1.csv

 

countryproductdaystock
Spainapples10/10/202225
Franceapples10/10/202222
Spaingrapes10/10/202230
Francegrapes10/10/202228
Spainapples10/10/202125
Franceapples10/10/202122
Spaingrapes10/10/202130
Francegrapes10/10/202128

 

Example 2:

 

| inputlookup join_example2.csv

 

dayproductrequested
10/10/2022apples90
10/10/2021apples110
10/10/2022grapes100
10/10/2021grapes110


If I join bot searchs:

 

| inputlookup join_example1.csv
| join product, day
    [| inputlookup join_example2.csv]
| table product day country stock requested

 

The result is:

productdaycountrystockrequested
apples10/10/2022Spain2590
apples10/10/2022France2290
grapes10/10/2022Spain30100
grapes10/10/2022France28100
apples10/10/2021Spain25110
apples10/10/2021France22110
grapes10/10/2021Spain30110
grapes10/10/2021France28110

 

But I need the sub search merges only with the first result like this (only in one country):

productdaycountrystockrequested
apples10/10/2022Spain2590
apples10/10/2022France220
grapes10/10/2022Spain30100
grapes10/10/2022France280
apples10/10/2021Spain25110
apples10/10/2021France220
grapes10/10/2021Spain30110
grapes10/10/2021France280

 

That is only a example, I need only merge subsearchs results once. Anyone knows a solution for this?

Thanks!!!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-10-2021 01:50 PM

You can add this to the end of your example search

| streamstats c by product day
| eval requested=if(c=1,requested,0)
| fields - c

which simply does a count by product and day and then sets requested to 0 if the count value is not 1

Not sure if this will give you a general solution though.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-10-2021 01:50 PM

You can add this to the end of your example search

| streamstats c by product day
| eval requested=if(c=1,requested,0)
| fields - c

which simply does a count by product and day and then sets requested to 0 if the count value is not 1

Not sure if this will give you a general solution though.

 

Reply
Solved! Jump to solution

rafadvega
Path Finder
‎11-10-2021 11:30 PM

That is a perfect solution. Thank you very much!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...