Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

selfjoin several result rows on different fields

wiar
Explorer
‎05-07-2021 05:07 AM

I have a search result where each 3  follwing lines are a block I want to join to one row like:

fld1 fld2 fld3 fld4
A               B
                  B      C
         D               C
E               F
                 F        G
         H                G

 

as a result of the join I want to have:

fld1 fld2 fld3 fld4
A      D      B      C
E      H      F       G

 

I have tried with the following search, which works partially:

| makeresults
| eval fld1="A", fld3="B"
| append [makeresults
| eval fld3="B", fld4="C"
]
| append [makeresults
| eval fld2="D", fld4="C"
]
| append [makeresults
| eval fld1="E", fld3="F"
]
| append [makeresults
| eval fld3="F", fld4="G"
]
| append [makeresults
| eval fld2="H", fld4="G"
]
| table fld1 fld2 fld3 fld4
| outputcsv fldRows
| fields - *
| append [
| inputcsv fldRows
| selfjoin fld3
]
| append [
| inputcsv fldRows
| selfjoin fld4
]
| selfjoin fld4

 

There are two probems:

when running for the first time there is no result.

When modifying a field the first value of this field is returned

There seems to be a problem that on th second and followng run outputcsv does not update fldRows

 

I am also curious if there is a simpler approach for getting the desired results

Thanks for a response.

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-07-2021 05:57 AM

Will it always be groups of 3?

| makeresults
| eval fld1="A", fld3="B"
| append [makeresults
| eval fld3="B", fld4="C"
]
| append [makeresults
| eval fld2="D", fld4="C"
]
| append [makeresults
| eval fld1="E", fld3="F"
]
| append [makeresults
| eval fld3="F", fld4="G"
]
| append [makeresults
| eval fld2="H", fld4="G"
]
| table fld1 fld2 fld3 fld4
| streamstats count as group
| eval group=floor((group-1)/3)
| stats values(*) as * by group

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-07-2021 05:57 AM

Will it always be groups of 3?

| makeresults
| eval fld1="A", fld3="B"
| append [makeresults
| eval fld3="B", fld4="C"
]
| append [makeresults
| eval fld2="D", fld4="C"
]
| append [makeresults
| eval fld1="E", fld3="F"
]
| append [makeresults
| eval fld3="F", fld4="G"
]
| append [makeresults
| eval fld2="H", fld4="G"
]
| table fld1 fld2 fld3 fld4
| streamstats count as group
| eval group=floor((group-1)/3)
| stats values(*) as * by group
0 Karma
Reply
Solved! Jump to solution

wiar
Explorer
‎05-07-2021 06:32 AM

A side question: what is the reason for the outputcsv file to not always be updated?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-07-2021 06:39 AM

No idea - my guess would be something to do with caching or sharing resources - are you running with a cluster?

0 Karma
Reply
Solved! Jump to solution

wiar
Explorer
‎05-07-2021 06:05 AM

@ITWhisperer: yes there are always 3 rows and thanks for your solution, that is exactly what I was searching for

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...