Solved: Combine two tables into one wrt two common parame...

harshal_chakran · ‎07-24-2014

Hi ,
I have two input csv's which are displayed in splunk as shown in below image:

I want to search in second csv with respect to first CSV's param1 and param2.

i.e. To display a final table where, first csv output is as it is, only second csv's "second value" column is added with matching param1 and param2 value between both CSV. And for those , where there is no match should be filled with zero, "0".

I know its difficult to understand, hence putting the image for reference:

I tried the join command, but if those param1 and param2 fields from first CSV are not available in second CSV, that result is not displayed, which is not desirable.

Kindly help me to get the output as per the above image.

martin_mueller · ‎07-24-2014

You could do this:

search for first CSV | join type=left param1 param2 [search for second CSV] | fillnull value2

View solution in original post

martin_mueller · ‎07-24-2014

You could do this:

search for first CSV | join type=left param1 param2 [search for second CSV] | fillnull value2

harshal_chakran · ‎07-24-2014

Thanks martin_mueller

Combine two tables into one wrt two common parameter(where blank values should be filled with zero "0")

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!