Splunk Search

selfjoin several result rows on different fields

wiar
Explorer

I have a search result where each 3  follwing lines are a block I want to join to one row like:

fld1 fld2 fld3 fld4
A               B
                  B      C
         D               C
E               F
                 F        G
         H                G

 

as a result of the join I want to have:

fld1 fld2 fld3 fld4
A      D      B      C
E      H      F       G

 

I have tried with the following search, which works partially:

| makeresults
| eval fld1="A", fld3="B"
| append [makeresults
| eval fld3="B", fld4="C"
]
| append [makeresults
| eval fld2="D", fld4="C"
]
| append [makeresults
| eval fld1="E", fld3="F"
]
| append [makeresults
| eval fld3="F", fld4="G"
]
| append [makeresults
| eval fld2="H", fld4="G"
]
| table fld1 fld2 fld3 fld4
| outputcsv fldRows
| fields - *
| append [
| inputcsv fldRows
| selfjoin fld3
]
| append [
| inputcsv fldRows
| selfjoin fld4
]
| selfjoin fld4

 

There are two probems:

when running for the first time there is no result.

When modifying a field the first value of this field is returned

There seems to be a problem that on th second and followng run outputcsv does not update fldRows

 

I am also curious if there is a simpler approach for getting the desired results

Thanks for a response.

 

Labels (1)
Tags (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Will it always be groups of 3?

| makeresults
| eval fld1="A", fld3="B"
| append [makeresults
| eval fld3="B", fld4="C"
]
| append [makeresults
| eval fld2="D", fld4="C"
]
| append [makeresults
| eval fld1="E", fld3="F"
]
| append [makeresults
| eval fld3="F", fld4="G"
]
| append [makeresults
| eval fld2="H", fld4="G"
]
| table fld1 fld2 fld3 fld4
| streamstats count as group
| eval group=floor((group-1)/3)
| stats values(*) as * by group

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Will it always be groups of 3?

| makeresults
| eval fld1="A", fld3="B"
| append [makeresults
| eval fld3="B", fld4="C"
]
| append [makeresults
| eval fld2="D", fld4="C"
]
| append [makeresults
| eval fld1="E", fld3="F"
]
| append [makeresults
| eval fld3="F", fld4="G"
]
| append [makeresults
| eval fld2="H", fld4="G"
]
| table fld1 fld2 fld3 fld4
| streamstats count as group
| eval group=floor((group-1)/3)
| stats values(*) as * by group
0 Karma

wiar
Explorer

A side question: what is the reason for the outputcsv file to not always be updated?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

No idea - my guess would be something to do with caching or sharing resources - are you running with a cluster?

0 Karma

wiar
Explorer

@ITWhisperer: yes there are always 3 rows and thanks for your solution, that is exactly what I was searching for

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...