Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to merge rows with a common field?

ndaniel88
Explorer
‎03-13-2019 11:49 AM

Hello, I have 1 single table that comes from two different searches/indexes/sourcetypes using append.

I need to join the results using 1 common field (name), in order to have per row all the information that I need.

The table I have is like:

+--------+--------+--------+------+----------+
| Date1 | Date2 | Date3 | name | Doc |
+--------+--------+--------+------+----------+
| Jan 08 |------- | --------- | A1 |----------|
| Jan 08 |------- | --------- | A2 |----------|
| Jan 08 |------- | --------- | A2 |----------|
| Jan 08 |------- | --------- | A3 |----------|
| Jan 08 |------- | --------- | A3 |----------|
| Jan 08 |------- | --------- | A3 |----------|
| Jan 08 |------- | --------- | A3 |----------|
| Jan 08 |------- | --------- | A3 |----------|
| Jan 08 |------- | --------- | A3 |----------|
| Jan 04 |------- | --------- | A4 |----------|
| Jan 09 |------- | --------- | A2 |----------|
|-----------| Jan2 | Jan09 | B1 | KYOM |
|-----------| Jan2 | Jan09 | A4 | UNYT |
|-----------| Jan2 | Jan09 | A1 | AGHY |
|-----------| Jan2 | Jan09 | A3 | POLK |
|-----------| Jan2 | Jan09 | B2 | TYHU |
+--------+--------+--------+------+----------+

And my goal is to end up with something like

+--------+---------+---------+--------+------+
| Date1 | Date2 | Date3 | name | Doc |
+--------+---------+---------+--------+------+
| Jan 08 | Jan2 | Jan09 | A1 | AGHY |
| Jan 08 | Jan2 | Jan09 | A2 |----------|
| Jan 08 | Jan2 | Jan09 | A2 |----------|
| Jan 08 | Jan2 | Jan09 | A3 | POLK |
| Jan 08 | Jan2 | Jan09 | A3 | POLK |
| Jan 08 | Jan2 | Jan09 | A3 | POLK |
| Jan 08 | Jan2 | Jan09 | A3 | POLK |
| Jan 08 | Jan2 | Jan09 | A3 | POLK |
| Jan 08 | Jan2 | Jan09 | A3 | POLK |
| Jan 04 | Jan2 | Jan09 | A4 | UNYT |
| Jan 09 | Jan2 | Jan09 | A2 |----------|
|----------| Jan2 | Jan09 | B1 | KYOM |
|----------| Jan2 | Jan09 | B2 | TYHU |
+--------+---------+---------+--------+------+

There is 1 and only 1 common field in the two searches, in the example the date match but is only for testing, it really never match. My search is like:

index=main sourcetype=test | many | many | many | condition
| append [search index=other | many | more | conditions]

I'm not using a single stats because it groups same name in 1 row (multivalue), and I need each result on its own row. Even tho they have same name, they are different events, that I'll evaluate per row after this table is generated.

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎03-13-2019 07:24 PM

I think the example is strange ...

If you concatenate Doc using name to data that Doc does not exist

(your search)
|streamstats count as no|eval no=if(isnull(Doc),0,no)
|stats list(*) as * by name
|fillnull value="" 
|mvexpand Date1
|table Date1,Date2,Date3,name,Doc

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎03-13-2019 07:24 PM

I think the example is strange ...

If you concatenate Doc using name to data that Doc does not exist

(your search)
|streamstats count as no|eval no=if(isnull(Doc),0,no)
|stats list(*) as * by name
|fillnull value="" 
|mvexpand Date1
|table Date1,Date2,Date3,name,Doc
0 Karma
Reply
Solved! Jump to solution

ndaniel88
Explorer
‎03-14-2019 07:47 AM

Why strange? that's exactly how my data looks, but with real data, lol.

Anyways, your answer works like a charm, Thank you, I appreciate.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-13-2019 04:42 PM

You say you don't want to use a single stats, but have you tried doing so and then using mvexpand to put each result in its own row?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ndaniel88
Explorer
‎03-13-2019 05:47 PM

That's the thing, I don't know how to do so. I've tried m expand, but I guess I didn't do it correctly, I don't know how to use it to achieve my goal.

0 Karma
Reply
Solved! Jump to solution

moonmk
New Member
‎03-13-2019 06:01 PM

Try it. "join" use

index=main
| stats count by Date1 , Date2, Date3 , name , Doc
| join type=outer name [search index=other
| stats count by Date1 , Date2, Date3 , name , Doc ]
| table Date1 , Date2, Date3 , name , Doc

0 Karma
Reply
Solved! Jump to solution

ndaniel88
Explorer
‎03-14-2019 07:46 AM

I prefer not to use join due performance issues. Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...