![]() Surely there must exist a simpler, faster way that this can be done, which isn't limited by the arbitrary limited settings or the multiple repeating search queries. This seems like an overly complicated solution, especially in comparison to the sql query. The above query works for me and gives me the table I need, but it is incredibly slow due to the repeated searches over the entire time frame, and also limited by the map maxsearches which, for whatever reason, cannot be set to unlimited. Values(last2) as last2, values(time) as time by id | stats values(first1) as first1, values(last1) as last1, values(first2) as first2, ![]() | fields first1, last1, first2, last2, match_id, time | fields first_name, last_name, referral_id, date I did attempt to use appendcols but that didn't return anything for me. Then, since append creates a new row instead of appending to the same row, using a stats to aggregate the resulting rows by the matching id field. Next, I attempted to use a subsearch, first finding the id and then searching in the subsearch, first for the first event by id and the appending the second event by referral_id. First I attempted to use the transaction command, but that aggregated all of the related events together as opposed to matching them a pair at a time. Now, I've been attempting to replicate this in a splunk query and have run into quite a few issues. Inner join myTable b on a.id = b.referrer_id select a.first_name as first1, a.last_name as last1, b.first_name as first2, In sql I can do this quite easily with the following command.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |