Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Joining searches with multivaluate fields turn them into single valuate field

guilhem
Contributor
‎02-12-2013 05:22 AM

Hello!

I am having a problem with this query:

index=myIndex
| join FIELD1 max=0 [search index=myOtherIndex | stats values(FIELD2) as FIELD2 by FIELD1]

When I look a the result of the query, the FIELD2 is not multivaluate, it is composed of a single line with space between the values, instead of a multivalued field.

If I run the search index=myOtherIndex | stats values(FIELD2) as FIELD2 by FIELD1 (without the join), I get the correct result, which is a multivaluate FIELD2.

It seems like the join command is somewhat interfering with the properties of the fields?

Does anyone have a clue on what's going on?

Thanks!

Guilhem

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lpolo
Motivator
‎02-12-2013 06:22 AM

Try this query it might work fine for you case:

(index=myIndex) OR
(index=myOtherIndex)
| stats 
  first(_time) as _time
  values(FIELD2) as FIELD2
  dc(sourcetype) as dc by FIELD1|search dc=2

View solution in original post

Reply
Solved! Jump to solution
Solution

lpolo
Motivator
‎02-12-2013 06:22 AM

Try this query it might work fine for you case:

(index=myIndex) OR
(index=myOtherIndex)
| stats 
  first(_time) as _time
  values(FIELD2) as FIELD2
  dc(sourcetype) as dc by FIELD1|search dc=2
Reply
Solved! Jump to solution

guilhem
Contributor
‎09-02-2013 01:40 AM

I can't remember where this search is, but I am now using this solution:

index=myIndex
| join FIELD1 max=0 [search index=myOtherIndex | stats values(FIELD2) as FIELD2 by FIELD1 ]
| eval FIELD2 = split(FIELD2, " ")

because split creates a multivalued field by splitting FIELD2 using the given delimiter (here it is the space character)

It is far from efficient but it works. I am sure it is possible to update it to a more efficient version thow

Reply
Solved! Jump to solution

0waste_splunk
Communicator
‎08-21-2013 08:44 AM

@guilhem

can you post your solution? I am facing the same problem.

I really appreciate your reply

Thanks

0 Karma
Reply
Solved! Jump to solution

guilhem
Contributor
‎03-25-2013 06:30 AM

Thanks for the tip, I have finally done it in another way.

0 Karma
Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...