Search the Community
6,000 results
Sort by:
10-29-2024
01:44 AM
Good day, Is there a way to join all my rows into one? My simple query index=collect_identities sourcetype=ldap:query user
| dedup email
| table email extensionAttribute10 e...
01-13-2025
06:49 AM
In my logs I am getting 4 events for 1 id. 1)Updating DB record with displayId=ABC0000000; type=TRANSFER 2)Updating DB record with displayId=ABC0000000; type=MESSAGES 3)Updating DB re...
Labels
- Labels:
-
field extraction
-
stats
-
subsearch
Show results in replies (3)
-
index=ABC source=XYZ 'ABC00000000001' | fillnull value="SENDING" type | stats values(type) as types...
-
Assuming type and displayId are already extracted, NO .. I am not able to join All 3 condition t...
-
Assuming your events are as you showed, try using extract | makeresults | fields - _time | eval _r...
05-20-2024
05:38 AM
Hey guys, I'm having trouble joining two datasets with similar values I'm trying to join two datasets, both have a common "name" field, but the one on the left has the correct value and the one on t...
Show results in replies (4)
-
...eft_dataset_name right_dataset_name I would suppose that you used the join concept and not the use of the join c...
-
...ou intend to use join command, consider stats or another method instead. For example, &n...
-
...ne)*" | eval joined_name = upper(coalesce(NAME, name)) NAME(upper) is from the index 1, and name(l...
-
...+_)*" . left_name . "_"), left_name, null()))) | eval joined = coalesce(name, match_name) | f...
04-09-2024
11:42 AM
I am trying to join two searches together to table the combined results by host.
First search below is showing number of events in the last hour by host, index, and sourcetype:
| tstats count w...
Labels
09-19-2024
10:35 PM
Hi,
Join is not returning the data with subsearch, I tried many options from other answers but nothing working out.
Target is to check how many departments are using latest version of s...
Labels
- Labels:
-
table
03-27-2024
12:38 AM
this is the query, so i'm still a baby in this world (so I'm sorry if there is a dummy mistakes that might drive you crazy when you read this query). However, I'm trying to Join the Source Process I...
Labels
- Labels:
-
join
11-06-2024
10:54 AM
...eneric representation of my current query but I get nothing back.
index=event ... | join left=event right=vpn where event.src_ip=vpn.client_ip max=1 usetime=true earlier=true [search index=v...
Labels
- Labels:
-
join
08-22-2023
08:58 PM
Hello, How to join data from index and dbxquery without using JOIN, APPEND or stats command? Issue with JOIN: limit of subsearch 50,000 rows or fewer. Missing data. Issue with A...
06-28-2024
05:31 PM
I have an inputlookup called adexport.csv thats big... trying to join and match two fields in the lookup UserName and with the splunk field UserId. trying but this don't seem to work. T...
03-10-2020
09:49 AM
Anything wrong with this join and subsearch? I know there are events which should match based on the 'cs_host' field. Not sure if the rename is confusing things, or my syntax is off slightly.
i...
