Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Joining searches with multivaluate fields turn them into single valuate field

guilhem
Contributor
‎02-12-2013 05:22 AM

Hello!

I am having a problem with this query:

index=myIndex
| join FIELD1 max=0 [search index=myOtherIndex | stats values(FIELD2) as FIELD2 by FIELD1]

When I look a the result of the query, the FIELD2 is not multivaluate, it is composed of a single line with space between the values, instead of a multivalued field.

If I run the search index=myOtherIndex | stats values(FIELD2) as FIELD2 by FIELD1 (without the join), I get the correct result, which is a multivaluate FIELD2.

It seems like the join command is somewhat interfering with the properties of the fields?

Does anyone have a clue on what's going on?

Thanks!

Guilhem

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lpolo
Motivator
‎02-12-2013 06:22 AM

Try this query it might work fine for you case:

(index=myIndex) OR
(index=myOtherIndex)
| stats 
  first(_time) as _time
  values(FIELD2) as FIELD2
  dc(sourcetype) as dc by FIELD1|search dc=2

View solution in original post

Reply
Solved! Jump to solution
Solution

lpolo
Motivator
‎02-12-2013 06:22 AM

Try this query it might work fine for you case:

(index=myIndex) OR
(index=myOtherIndex)
| stats 
  first(_time) as _time
  values(FIELD2) as FIELD2
  dc(sourcetype) as dc by FIELD1|search dc=2
Reply
Solved! Jump to solution

guilhem
Contributor
‎09-02-2013 01:40 AM

I can't remember where this search is, but I am now using this solution:

index=myIndex
| join FIELD1 max=0 [search index=myOtherIndex | stats values(FIELD2) as FIELD2 by FIELD1 ]
| eval FIELD2 = split(FIELD2, " ")

because split creates a multivalued field by splitting FIELD2 using the given delimiter (here it is the space character)

It is far from efficient but it works. I am sure it is possible to update it to a more efficient version thow

Reply
Solved! Jump to solution

0waste_splunk
Communicator
‎08-21-2013 08:44 AM

@guilhem

can you post your solution? I am facing the same problem.

I really appreciate your reply

Thanks

0 Karma
Reply
Solved! Jump to solution

guilhem
Contributor
‎03-25-2013 06:30 AM

Thanks for the tip, I have finally done it in another way.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...