Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

selfjoin several result rows on different fields

wiar
Explorer
‎05-07-2021 05:07 AM

I have a search result where each 3  follwing lines are a block I want to join to one row like:

fld1 fld2 fld3 fld4
A               B
                  B      C
         D               C
E               F
                 F        G
         H                G

 

as a result of the join I want to have:

fld1 fld2 fld3 fld4
A      D      B      C
E      H      F       G

 

I have tried with the following search, which works partially:

| makeresults
| eval fld1="A", fld3="B"
| append [makeresults
| eval fld3="B", fld4="C"
]
| append [makeresults
| eval fld2="D", fld4="C"
]
| append [makeresults
| eval fld1="E", fld3="F"
]
| append [makeresults
| eval fld3="F", fld4="G"
]
| append [makeresults
| eval fld2="H", fld4="G"
]
| table fld1 fld2 fld3 fld4
| outputcsv fldRows
| fields - *
| append [
| inputcsv fldRows
| selfjoin fld3
]
| append [
| inputcsv fldRows
| selfjoin fld4
]
| selfjoin fld4

 

There are two probems:

when running for the first time there is no result.

When modifying a field the first value of this field is returned

There seems to be a problem that on th second and followng run outputcsv does not update fldRows

 

I am also curious if there is a simpler approach for getting the desired results

Thanks for a response.

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-07-2021 05:57 AM

Will it always be groups of 3?

| makeresults
| eval fld1="A", fld3="B"
| append [makeresults
| eval fld3="B", fld4="C"
]
| append [makeresults
| eval fld2="D", fld4="C"
]
| append [makeresults
| eval fld1="E", fld3="F"
]
| append [makeresults
| eval fld3="F", fld4="G"
]
| append [makeresults
| eval fld2="H", fld4="G"
]
| table fld1 fld2 fld3 fld4
| streamstats count as group
| eval group=floor((group-1)/3)
| stats values(*) as * by group

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-07-2021 05:57 AM

Will it always be groups of 3?

| makeresults
| eval fld1="A", fld3="B"
| append [makeresults
| eval fld3="B", fld4="C"
]
| append [makeresults
| eval fld2="D", fld4="C"
]
| append [makeresults
| eval fld1="E", fld3="F"
]
| append [makeresults
| eval fld3="F", fld4="G"
]
| append [makeresults
| eval fld2="H", fld4="G"
]
| table fld1 fld2 fld3 fld4
| streamstats count as group
| eval group=floor((group-1)/3)
| stats values(*) as * by group
0 Karma
Reply
Solved! Jump to solution

wiar
Explorer
‎05-07-2021 06:32 AM

A side question: what is the reason for the outputcsv file to not always be updated?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-07-2021 06:39 AM

No idea - my guess would be something to do with caching or sharing resources - are you running with a cluster?

0 Karma
Reply
Solved! Jump to solution

wiar
Explorer
‎05-07-2021 06:05 AM

@ITWhisperer: yes there are always 3 rows and thanks for your solution, that is exactly what I was searching for

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...