...ldRows | selfjoin fld3 ] | append [ | inputcsv fldRows | selfjoin fld4 ] | selfjoin fld4 There are two probems: when running for the first time there is no result. When modifying a f...
...ave the same 'Key', but I want to retain all of the 'Fields', ideally as a multi-value field.
So ending up with:
If I use a selfjoin I've only got the option to keep one or other of the a...
I'm a new user of splunk, and apparently I don't understand how selfjoin is supposed to work.
My log has a field sessionid . As a first pass, I enter the following search:
(alpha OR ( b...
Hi All,
I have table in which I have columns such as name, id, type, business group etc
type field has 2 values 'user' or 'approver', there are some name which are both are user as well as approv...
Hello
I have a serach that gives me back two types of events. event A with field r_code and some other fields while event B with a field s_code. I want to list only Events A that can be matched by...
A have a ...| selfjoin subsearch which joins on two fields id, vid. I then pass the fields I want kept to my main search via | fields + id + vid + url. My main search looks for all errors which w...
Right now this is displaying what I want but how can I return a row for each hour of the day when my alert is scheduled?
index=records "ProcessRec: Total Recd"
| eval fields=split(_raw,"|")
| ev...
I need help regarding a join from events based on different sourcetype (same index) that are related by the same value in different fields.
The logical flow starts from a bar char that group/count ...
I have the current statement using append:
search_term1 | stats count by ip_address | table ip_address count | append [search search_term1 | dedup ip_address | table ipaddress _raw]
which ma...