Splunk Search

Combine two tables into one wrt two common parameter(where blank values should be filled with zero "0")

harshal_chakran
Builder

Hi ,
I have two input csv's which are displayed in splunk as shown in below image:

alt text

I want to search in second csv with respect to first CSV's param1 and param2.

i.e. To display a final table where, first csv output is as it is, only second csv's "second value" column is added with matching param1 and param2 value between both CSV. And for those , where there is no match should be filled with zero, "0".

I know its difficult to understand, hence putting the image for reference:

alt text

I tried the join command, but if those param1 and param2 fields from first CSV are not available in second CSV, that result is not displayed, which is not desirable.

Kindly help me to get the output as per the above image.

Tags (4)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You could do this:

search for first CSV | join type=left param1 param2 [search for second CSV] | fillnull value2

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You could do this:

search for first CSV | join type=left param1 param2 [search for second CSV] | fillnull value2
0 Karma

harshal_chakran
Builder

Thanks martin_mueller

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...