Splunk Search

How to "join" two different searches with no common fields?

CarmineCalo
Path Finder

Splunkers!

I need to join the follow inputlookup + event searche in order to have, for each AppID, the full set of month buckets given from the time range picker
Example:

Search 1 (Fromm inputlookup):
App1
App2
...

Search 2 (from index search)
Month 1
Month 2
...

Desired outcome:

App1 Month1
App1 Month2
App1 ...
App2 Month1
App2 Month2
App2 ...
... ...

Here the code for the two searches

Search 1

| inputlookup DOM_ApplicationCatalogue
| search Status="Production"

| stats count by ApplicationID

Search 2
| search index=Incidents
| dedup id_inc
| timechart span=1mon count
| eval datemonth_year=strftime(_time,"%Y-%m")
| fields count datemonth_year]

Any help?

Tks!
Carmine

Tags (2)
0 Karma
1 Solution

mayurr98
Super Champion

you can try something like

| inputlookup DOM_ApplicationCatalogue 
| search Status="Production" 
| stats count by ApplicationID 
| appendcols 
    [ search index=Incidents 
    | dedup id_inc 
    | timechart span=1mon count 
    | eval datemonth_year=strftime(_time,"%Y-%m") 
    | fields count datemonth_year]

let me know if this helps !

View solution in original post

0 Karma

mayurr98
Super Champion

you can try something like

| inputlookup DOM_ApplicationCatalogue 
| search Status="Production" 
| stats count by ApplicationID 
| appendcols 
    [ search index=Incidents 
    | dedup id_inc 
    | timechart span=1mon count 
    | eval datemonth_year=strftime(_time,"%Y-%m") 
    | fields count datemonth_year]

let me know if this helps !

0 Karma

CarmineCalo
Path Finder

No, unfortunately it's not working...

It generate something like (hyp that Month = (Month 1, Month 2)

App1 Month 1
App2 Month 2
App3
App4
...

Carmine

0 Karma

mayurr98
Super Champion

if you are interested in just desired outcome then you can try something like this I may be wrong...but you will not be able to show count in this because logically linking count is not possible i think

app1 month1
app1 month2
app2 month1
app2 month2
..and so on

| inputlookup DOM_ApplicationCatalogue 
| search Status="Production" 
| stats count by ApplicationID 
| fields ApplicationID 
| appendcols 
    [ search index=Incidents 
    | dedup id_inc 
    | timechart span=1mon count 
    | eval datemonth_year=strftime(_time,"%Y-%m") 
    | fields datemonth_year ] 
| stats list(ApplicationID) as ApplicationID list(datemonth_year) as datemonth_year 
| mvexpand ApplicationID 
| mvexpand datemonth_year

let me know if this helps!

CarmineCalo
Path Finder

Only one additional thing...

list(ApplicationID) create a field with "only" 100 value inside (my list of APpID is 4k+!)
How can i increase the number of values to listed?
Unfortunately "limit" option not works with stats...

0 Karma

mayurr98
Super Champion

Hey use values(ApplicationID) as ApplicationID

0 Karma

CarmineCalo
Path Finder

Great! It works now 🙂

0 Karma

CarmineCalo
Path Finder

Now It works!
Tks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...