- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can I append different fields from a subse...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I append different fields from a subsearch?
Hello,
I'm trying to search within another sourcetype and append fields oxygen, and rock to a CSV base search. I'm attempting to match them by id with this search:
|inputlookup environmentSample.csv |append [search sourcetype="environmentData" |fields oxygen rock id]
|table nitrogen bacteria id oxygen rock
environmentSample.csv:
nitrogen bacteria id
5 c. perfringens 111
7 B. cereus 222
sourcetype=environmentData:
oxygen rock id
3 pyrite 111
2.6 basalt 222
What query do I need to see this result -- where the results appear in the SAME ROW based on id?:
nitrogen bacteria id oxygen rock
5 c. perfringens 111 3 pyrite
7 B. cereus 222 2.6 basalt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
|inputlookup environmentSample.csv |join id [search sourcetype="environmentData" |fields oxygen rock id]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I prefer to stay away from |join since it's an expensive command. In my real query so I have 3 subsearches; using |join would require me to use 3 |join commands, which would take a long time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want the output in your requested format, I think you should use join to link the data. Will watch for any alternative answers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @russell120
Try
your query...| selfjoin id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try with
|inputlookup environmentSample.csv |append [search sourcetype="environmentData" |fields oxygen rock id] |selfjoin id |table nitrogen bacteria id oxygen rock
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This didn't work unfortunately. I think it may be because id in my sourcetype data has the id number as a multivalue for some reason, where it looks like:
id
111
111
222
222
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@russell120
Can you please try this?
|inputlookup environmentSample.csv |append [search sourcetype="environmentData" |fields oxygen rock id] |stats values(nitrogen) as nitrogen values(bacteria) as bacteria values(oxygen) as oxygen values(rock) as rock by id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would by id work if the CSV had
id
111
222
and the sourcetype=environmentData had the below as multivalues?
id
111
111
222
222
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
