All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to join or lookup results from one search to another for table output?

GeorgeStarkey
Path Finder
‎10-31-2014 01:46 PM

in the vmware app the following pieces exist

index=vmware-perf
moid mem_used mem_committed

index=vmware-inv
moid changeSet.name

changeset.name is the actual hostame of the vm's so endusers can easily identify.

I want to run something like this:
index=vmware-perf sourcetype=vmware:perf:mem moid=vm* | eval overuse=mem_committed-mem_used | stats min(overuse) by moid,mem_committed,mem_used | dedup moid

HOWEVER I then want to join (or lookup/remap) the changeSet.name from the other index based on the moid so that I can end up with a table that shows:

changeSet.name moid mem_committed mem_used overuse
host1 vm-5619 65222 32001.238281 33220.761719
host2 vm-822 65138 35497.636719 29640.363281
etc..

This is probably a simple join, but I can't quite get it to function

Reply
1 Solution
Solved! Jump to solution
Solution

GeorgeStarkey
Path Finder
‎10-31-2014 02:12 PM

I have solved this myself with:

index=vmware-perf
sourcetype=vmware:perf:mem moid=vm*
mem_committed>1 | join moid [search
index=vmware-inv moid=*
changeSet.name=vm*] | eval
overuse=mem_committed-mem_used | stats
min(overuse) by
changeSet.name,moid,mem_committed,mem_used
| dedup moid

though this is still very slow. there must be a faster way.

View solution in original post

Reply
Solved! Jump to solution
Solution

GeorgeStarkey
Path Finder
‎10-31-2014 02:12 PM

I have solved this myself with:

index=vmware-perf
sourcetype=vmware:perf:mem moid=vm*
mem_committed>1 | join moid [search
index=vmware-inv moid=*
changeSet.name=vm*] | eval
overuse=mem_committed-mem_used | stats
min(overuse) by
changeSet.name,moid,mem_committed,mem_used
| dedup moid

though this is still very slow. there must be a faster way.

Reply
Solved! Jump to solution

mipeters_splunk
Splunk Employee
Splunk Employee
‎07-31-2017 03:40 PM

the faster way would be to use data models and use the |tstats command with summariesonly. Good luck !!!!

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...