Solved: Multiple Join/outer within same search

eddy_liao · ‎10-25-2019

Hi

I have a very wierd requirement to transform the result of my search

**EMPLOYEE, BOSS**
ERIC, CHRIS
CHRIS, MACK
MACK, VAL
VAL, WILL

Into this:

**EMPLOYEE, BOSS, BOSS2, BOSS3, BOSS4**
ERIC, CHRIS, MACK, VAL, WILL
CHRIS, MACK, VAL, WILL
MACK, VAL, WILL
VAL, WILL
WIll

I know its a bit wierd and its normal to have missing.
Any ideas?

woodcock · ‎10-25-2019

Like this:

| makeresults 
| eval raw="EMPLOYEE=ERIC,BOSS=CHRIS EMPLOYEE=CHRIS,BOSS=MACK EMPLOYEE=MACK,BOSS=VAL EMPLOYEE=VAL,BOSS=WILL"
| makemv raw
| mvexpand raw
| rename raw AS _raw
| kv
| table EMPLOYEE BOSS

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| outputlookup employee_boss.csv
| lookup employee_boss.csv EMPLOYEE AS BOSS OUTPUT BOSS AS BOSS2
| lookup employee_boss.csv EMPLOYEE AS BOSS2 OUTPUT BOSS AS BOSS3
| lookup employee_boss.csv EMPLOYEE AS BOSS3 OUTPUT BOSS AS BOSS4

View solution in original post

woodcock · ‎10-25-2019

Like this:

| makeresults 
| eval raw="EMPLOYEE=ERIC,BOSS=CHRIS EMPLOYEE=CHRIS,BOSS=MACK EMPLOYEE=MACK,BOSS=VAL EMPLOYEE=VAL,BOSS=WILL"
| makemv raw
| mvexpand raw
| rename raw AS _raw
| kv
| table EMPLOYEE BOSS

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| outputlookup employee_boss.csv
| lookup employee_boss.csv EMPLOYEE AS BOSS OUTPUT BOSS AS BOSS2
| lookup employee_boss.csv EMPLOYEE AS BOSS2 OUTPUT BOSS AS BOSS3
| lookup employee_boss.csv EMPLOYEE AS BOSS3 OUTPUT BOSS AS BOSS4

eddy_liao · ‎10-25-2019

Thanks this works beautifully

woodcock · ‎10-25-2019

Be sure to come back and click Accept to close the question.

Multiple Join/outer within same search

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!