Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to "join" two different searches with no common fields?

CarmineCalo
Path Finder
‎01-18-2018 05:19 AM

Splunkers!

I need to join the follow inputlookup + event searche in order to have, for each AppID, the full set of month buckets given from the time range picker
Example:

Search 1 (Fromm inputlookup):
App1
App2
...

Search 2 (from index search)
Month 1
Month 2
...

Desired outcome:

App1 Month1
App1 Month2
App1 ...
App2 Month1
App2 Month2
App2 ...
... ...

Here the code for the two searches

Search 1

| inputlookup DOM_ApplicationCatalogue
| search Status="Production"

| stats count by ApplicationID

Search 2
| search index=Incidents
| dedup id_inc
| timechart span=1mon count
| eval datemonth_year=strftime(_time,"%Y-%m")
| fields count datemonth_year]

Any help?

Tks!
Carmine

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-18-2018 05:40 AM

you can try something like

| inputlookup DOM_ApplicationCatalogue 
| search Status="Production" 
| stats count by ApplicationID 
| appendcols 
    [ search index=Incidents 
    | dedup id_inc 
    | timechart span=1mon count 
    | eval datemonth_year=strftime(_time,"%Y-%m") 
    | fields count datemonth_year]

let me know if this helps !

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-18-2018 05:40 AM

you can try something like

| inputlookup DOM_ApplicationCatalogue 
| search Status="Production" 
| stats count by ApplicationID 
| appendcols 
    [ search index=Incidents 
    | dedup id_inc 
    | timechart span=1mon count 
    | eval datemonth_year=strftime(_time,"%Y-%m") 
    | fields count datemonth_year]

let me know if this helps !

0 Karma
Reply
Solved! Jump to solution

CarmineCalo
Path Finder
‎01-18-2018 06:04 AM

No, unfortunately it's not working...

It generate something like (hyp that Month = (Month 1, Month 2)

App1 Month 1
App2 Month 2
App3
App4
...

Carmine

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-18-2018 06:28 AM

if you are interested in just desired outcome then you can try something like this I may be wrong...but you will not be able to show count in this because logically linking count is not possible i think

app1 month1
app1 month2
app2 month1
app2 month2
..and so on

| inputlookup DOM_ApplicationCatalogue 
| search Status="Production" 
| stats count by ApplicationID 
| fields ApplicationID 
| appendcols 
    [ search index=Incidents 
    | dedup id_inc 
    | timechart span=1mon count 
    | eval datemonth_year=strftime(_time,"%Y-%m") 
    | fields datemonth_year ] 
| stats list(ApplicationID) as ApplicationID list(datemonth_year) as datemonth_year 
| mvexpand ApplicationID 
| mvexpand datemonth_year

let me know if this helps!

Reply
Solved! Jump to solution

CarmineCalo
Path Finder
‎01-18-2018 07:00 AM

Only one additional thing...

list(ApplicationID) create a field with "only" 100 value inside (my list of APpID is 4k+!)
How can i increase the number of values to listed?
Unfortunately "limit" option not works with stats...

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-18-2018 07:25 AM

Hey use values(ApplicationID) as ApplicationID

0 Karma
Reply
Solved! Jump to solution

CarmineCalo
Path Finder
‎01-18-2018 10:27 AM

Great! It works now 🙂

0 Karma
Reply
Solved! Jump to solution

CarmineCalo
Path Finder
‎01-18-2018 06:35 AM

Now It works!
Tks!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...