Splunk Search

selfjoin several result rows on different fields


I have a search result where each 3  follwing lines are a block I want to join to one row like:

fld1 fld2 fld3 fld4
A               B
                  B      C
         D               C
E               F
                 F        G
         H                G


as a result of the join I want to have:

fld1 fld2 fld3 fld4
A      D      B      C
E      H      F       G


I have tried with the following search, which works partially:

| makeresults
| eval fld1="A", fld3="B"
| append [makeresults
| eval fld3="B", fld4="C"
| append [makeresults
| eval fld2="D", fld4="C"
| append [makeresults
| eval fld1="E", fld3="F"
| append [makeresults
| eval fld3="F", fld4="G"
| append [makeresults
| eval fld2="H", fld4="G"
| table fld1 fld2 fld3 fld4
| outputcsv fldRows
| fields - *
| append [
| inputcsv fldRows
| selfjoin fld3
| append [
| inputcsv fldRows
| selfjoin fld4
| selfjoin fld4


There are two probems:

when running for the first time there is no result.

When modifying a field the first value of this field is returned

There seems to be a problem that on th second and followng run outputcsv does not update fldRows


I am also curious if there is a simpler approach for getting the desired results

Thanks for a response.


Labels (1)
Tags (3)
0 Karma
1 Solution


Will it always be groups of 3?

| makeresults
| eval fld1="A", fld3="B"
| append [makeresults
| eval fld3="B", fld4="C"
| append [makeresults
| eval fld2="D", fld4="C"
| append [makeresults
| eval fld1="E", fld3="F"
| append [makeresults
| eval fld3="F", fld4="G"
| append [makeresults
| eval fld2="H", fld4="G"
| table fld1 fld2 fld3 fld4
| streamstats count as group
| eval group=floor((group-1)/3)
| stats values(*) as * by group

View solution in original post

0 Karma


Will it always be groups of 3?

| makeresults
| eval fld1="A", fld3="B"
| append [makeresults
| eval fld3="B", fld4="C"
| append [makeresults
| eval fld2="D", fld4="C"
| append [makeresults
| eval fld1="E", fld3="F"
| append [makeresults
| eval fld3="F", fld4="G"
| append [makeresults
| eval fld2="H", fld4="G"
| table fld1 fld2 fld3 fld4
| streamstats count as group
| eval group=floor((group-1)/3)
| stats values(*) as * by group
0 Karma


A side question: what is the reason for the outputcsv file to not always be updated?

0 Karma


No idea - my guess would be something to do with caching or sharing resources - are you running with a cluster?

0 Karma


@ITWhisperer: yes there are always 3 rows and thanks for your solution, that is exactly what I was searching for

0 Karma
Get Updates on the Splunk Community!

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...

New This Month - SLO Capabilities, APM Advanced Filtering & Usage Analytics Plus ...

More for SLO Management We’re continuing to expand the built-in SLO management experience in Splunk ...

Enterprise Security Content Update (ESCU) | New Releases

In June, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...