- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Ho to get a single report by evaluating 3 saved se...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ho to get a single report by evaluating 3 saved searches
Scenario:
I need to get a single dashboard out of 3 different sourcetype by passing a unique ID using the form view.
I used the 3 queries and pulled the data to the user defined index - newindex and how do i get the data in a single value by passing the unique id.
- index=userindex Source=find_node_1 returns data as given below :
time_stamp mid sid
2012-06-25 14:52:39 123456789 3924110063741806337
2012-06-25 14:54:58 782345678 623458620530373121
2012-06-25 12:21:56 663236789 4189485991196251138
- index=userindex Source=find_node_2 returns data as given below :
vcs vcsSId csId
abc.occ analfnafafja-afafa-afafa 3924110063741806337
bac.occ baclfnafafja-afafa-afafa 623458620530373121
cac.occ cadlfnafafja-afafa-afafa 4189485991196251138
- index=userindex Source=find_node_3 returns data as given below : confid mcrconf host ============================================================= analfnafafja-afafa-afafa nafafja-afafa-afafa host1 baclfnafafja-afafa-afafa nafafja-cabab-atedd host2 cadlfnafafja-afafa-afafa nafafja-lalab-bcdef host3
The mapping from 1 and 2 : sid=vcsSId
The mapping from 2 and 3 : vcsSId=confid
Problem statement :
I want to get a single view of the all the above 3 with unique value by passing the "mid" dynamically using the form view.
I tried joins as given below and it fetches empty results.
index=userindex source=find_node_1 | fields time_stamp mid sid | join sid [ search source=find_node_2 | fields VCS vcsSId csId] | join vcsSId [search source=find_node_3 | fields confid mcrconf host] | table mid time_stamp sid confid mcrconf host
Please let me know if i am missing something help me on how would i combine to get a single view in a query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Join only works on a common field - and you haven't named common fields between your sources.
Try this:
index=userindex source=find_node_1
| fields time_stamp mid sid
| join sid
[ search source=find_node_2
| rename vcsSId as sid
| fields VCS sid csId]
| join sid
[search source=find_node_3
| rename confid as sid
| fields sid mcrconf host]
| table mid time_stamp sid mcrconf host
But why do you even need the middle join? Since you didn't use any of the fields from the second join, wouldn't it work as:
index=userindex source=find_node_1
| fields time_stamp mid sid
| join sid
[search source=find_node_3
| rename confid as sid
| fields sid mcrconf host]
| table mid time_stamp sid mcrconf host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot !
The reason for using middle join is to join the sid and , i would need some of the fileds in the final result to get them in the table
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
