Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Search
Splunk Community
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Search
Search
Search the Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
6,805 results
Sort by:
10-29-2024
01:44 AM
Good day, Is there a way to join all my rows into one? My simple query index=collect_identities sourcetype=ldap:query user
| dedup email
| table email extensionAttribute10 e...
01-13-2025
06:49 AM
In my logs I am getting 4 events for 1 id. 1)Updating DB record with displayId=ABC0000000; type=TRANSFER 2)Updating DB record with displayId=ABC0000000; type=MESSAGES 3)Updating DB re...
Labels
- Labels:
-
field extraction
-
stats
-
subsearch
Show results in replies (3)
-
index=ABC source=XYZ 'ABC00000000001' | fillnull value="SENDING" type | stats values(type) as types...
-
Assuming type and displayId are already extracted, NO .. I am not able to join All 3 condition t...
-
Assuming your events are as you showed, try using extract | makeresults | fields - _time | eval _r...
05-20-2024
05:38 AM
Hey guys, I'm having trouble joining two datasets with similar values I'm trying to join two datasets, both have a common "name" field, but the one on the left has the correct value and the one on t...
Show results in replies (4)
-
...eft_dataset_name right_dataset_name I would suppose that you used the join concept and not the use of the join c...
-
...ou intend to use join command, consider stats or another method instead. For example, &n...
-
...ne)*" | eval joined_name = upper(coalesce(NAME, name)) NAME(upper) is from the index 1, and name(l...
-
...+_)*" . left_name . "_"), left_name, null()))) | eval joined = coalesce(name, match_name) | f...
4 weeks ago
...eel like I've tried everything (join, append + eventstats, subsearching) and unfortunately all have a limit which prevent me from getting the full set mapped. Join limit: 50,000 Append limit: 1...
05-09-2025
05:55 AM
Hi I have a difficult one - I am unsure if it is possible. I have large JSON data - Distributed traces. I can extract the data I need by doing 2 separate SPL - but I need to join them now, I...
Labels
- Labels:
-
using Splunk Enterprise
04-09-2024
11:42 AM
I am trying to join two searches together to table the combined results by host.
First search below is showing number of events in the last hour by host, index, and sourcetype:
| tstats count w...
Labels
03-27-2024
12:38 AM
this is the query, so i'm still a baby in this world (so I'm sorry if there is a dummy mistakes that might drive you crazy when you read this query). However, I'm trying to Join the Source Process I...
Labels
- Labels:
-
join
04-02-2025
07:30 PM
I have two searches and I only want to find rows which has common MessageID . Currently it is returning extra row because of second search . Query before Or is returning 100 records ...
- Tags:
- append
11-06-2024
10:54 AM
...eneric representation of my current query but I get nothing back.
index=event ... | join left=event right=vpn where event.src_ip=vpn.client_ip max=1 usetime=true earlier=true [search index=v...
Labels
- Labels:
-
join
09-19-2024
10:35 PM
Hi,
Join is not returning the data with subsearch, I tried many options from other answers but nothing working out.
Target is to check how many departments are using latest version of s...
Labels
- Labels:
-
table
