Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

selfjoin several result rows on different fields

wiar
Explorer
‎05-07-2021 05:07 AM

I have a search result where each 3  follwing lines are a block I want to join to one row like:

fld1 fld2 fld3 fld4
A               B
                  B      C
         D               C
E               F
                 F        G
         H                G

 

as a result of the join I want to have:

fld1 fld2 fld3 fld4
A      D      B      C
E      H      F       G

 

I have tried with the following search, which works partially:

| makeresults
| eval fld1="A", fld3="B"
| append [makeresults
| eval fld3="B", fld4="C"
]
| append [makeresults
| eval fld2="D", fld4="C"
]
| append [makeresults
| eval fld1="E", fld3="F"
]
| append [makeresults
| eval fld3="F", fld4="G"
]
| append [makeresults
| eval fld2="H", fld4="G"
]
| table fld1 fld2 fld3 fld4
| outputcsv fldRows
| fields - *
| append [
| inputcsv fldRows
| selfjoin fld3
]
| append [
| inputcsv fldRows
| selfjoin fld4
]
| selfjoin fld4

 

There are two probems:

when running for the first time there is no result.

When modifying a field the first value of this field is returned

There seems to be a problem that on th second and followng run outputcsv does not update fldRows

 

I am also curious if there is a simpler approach for getting the desired results

Thanks for a response.

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-07-2021 05:57 AM

Will it always be groups of 3?

| makeresults
| eval fld1="A", fld3="B"
| append [makeresults
| eval fld3="B", fld4="C"
]
| append [makeresults
| eval fld2="D", fld4="C"
]
| append [makeresults
| eval fld1="E", fld3="F"
]
| append [makeresults
| eval fld3="F", fld4="G"
]
| append [makeresults
| eval fld2="H", fld4="G"
]
| table fld1 fld2 fld3 fld4
| streamstats count as group
| eval group=floor((group-1)/3)
| stats values(*) as * by group

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-07-2021 05:57 AM

Will it always be groups of 3?

| makeresults
| eval fld1="A", fld3="B"
| append [makeresults
| eval fld3="B", fld4="C"
]
| append [makeresults
| eval fld2="D", fld4="C"
]
| append [makeresults
| eval fld1="E", fld3="F"
]
| append [makeresults
| eval fld3="F", fld4="G"
]
| append [makeresults
| eval fld2="H", fld4="G"
]
| table fld1 fld2 fld3 fld4
| streamstats count as group
| eval group=floor((group-1)/3)
| stats values(*) as * by group
0 Karma
Reply
Solved! Jump to solution

wiar
Explorer
‎05-07-2021 06:32 AM

A side question: what is the reason for the outputcsv file to not always be updated?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-07-2021 06:39 AM

No idea - my guess would be something to do with caching or sharing resources - are you running with a cluster?

0 Karma
Reply
Solved! Jump to solution

wiar
Explorer
‎05-07-2021 06:05 AM

@ITWhisperer: yes there are always 3 rows and thanks for your solution, that is exactly what I was searching for

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...