Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

selfjoin several result rows on different fields

wiar
Explorer
‎05-07-2021 05:07 AM

I have a search result where each 3  follwing lines are a block I want to join to one row like:

fld1 fld2 fld3 fld4
A               B
                  B      C
         D               C
E               F
                 F        G
         H                G

 

as a result of the join I want to have:

fld1 fld2 fld3 fld4
A      D      B      C
E      H      F       G

 

I have tried with the following search, which works partially:

| makeresults
| eval fld1="A", fld3="B"
| append [makeresults
| eval fld3="B", fld4="C"
]
| append [makeresults
| eval fld2="D", fld4="C"
]
| append [makeresults
| eval fld1="E", fld3="F"
]
| append [makeresults
| eval fld3="F", fld4="G"
]
| append [makeresults
| eval fld2="H", fld4="G"
]
| table fld1 fld2 fld3 fld4
| outputcsv fldRows
| fields - *
| append [
| inputcsv fldRows
| selfjoin fld3
]
| append [
| inputcsv fldRows
| selfjoin fld4
]
| selfjoin fld4

 

There are two probems:

when running for the first time there is no result.

When modifying a field the first value of this field is returned

There seems to be a problem that on th second and followng run outputcsv does not update fldRows

 

I am also curious if there is a simpler approach for getting the desired results

Thanks for a response.

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-07-2021 05:57 AM

Will it always be groups of 3?

| makeresults
| eval fld1="A", fld3="B"
| append [makeresults
| eval fld3="B", fld4="C"
]
| append [makeresults
| eval fld2="D", fld4="C"
]
| append [makeresults
| eval fld1="E", fld3="F"
]
| append [makeresults
| eval fld3="F", fld4="G"
]
| append [makeresults
| eval fld2="H", fld4="G"
]
| table fld1 fld2 fld3 fld4
| streamstats count as group
| eval group=floor((group-1)/3)
| stats values(*) as * by group

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-07-2021 05:57 AM

Will it always be groups of 3?

| makeresults
| eval fld1="A", fld3="B"
| append [makeresults
| eval fld3="B", fld4="C"
]
| append [makeresults
| eval fld2="D", fld4="C"
]
| append [makeresults
| eval fld1="E", fld3="F"
]
| append [makeresults
| eval fld3="F", fld4="G"
]
| append [makeresults
| eval fld2="H", fld4="G"
]
| table fld1 fld2 fld3 fld4
| streamstats count as group
| eval group=floor((group-1)/3)
| stats values(*) as * by group
0 Karma
Reply
Solved! Jump to solution

wiar
Explorer
‎05-07-2021 06:32 AM

A side question: what is the reason for the outputcsv file to not always be updated?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-07-2021 06:39 AM

No idea - my guess would be something to do with caching or sharing resources - are you running with a cluster?

0 Karma
Reply
Solved! Jump to solution

wiar
Explorer
‎05-07-2021 06:05 AM

@ITWhisperer: yes there are always 3 rows and thanks for your solution, that is exactly what I was searching for

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...