Here is my query:
index="backup_script" conf_brand=ios OR conf_brand=nxos
| rex field=conf_hostname "(?P^[^.]+)"
| eval status = "Device not sending logs to splunk"
| table hostname status
| dedup hostname | where like(hostname,"%"+"-rt-wan"+"%")
| join hostname [ search index="backup_script" conf_brand=ios OR conf_brand=nxos
| rex field=conf_hostname "(?P<host>^[^.]+)"
| stats count by host
| eval backup_hostname=host+"*"
| table backup_hostname
| where like(backup_hostname,"%"+"mon-rt-"+"%")
| map [ search eventtype=cisco_ios host=$backup_hostname$
| eval final_hostname = $backup_hostname$
| rex field=final_hostname "(?P<hostname>^[^*]+)"
| table hostname
| dedup hostname ] maxsearches=1000]
Table A
host
A
B
C
D
E
table B
host
A
D
E
result
Host
B
C
Hello,
You can try something like this :
<first table query> | table host status | join type=outer host [search <second table query>| rex field=host (?<host2>.*) | table host, host2] |fillnull value="NULL" host2 | where host2="NULL"
I downvoted this post because not working
@gts_ame_tfo_cty, down voting on Splunk Answers community not same as other communities. Here we want more participations/heathy discussions rather than down voting, unless the information is misleading or harmful for your Splunk instance. Refer to Splunk Answers guidelines for the same.
Kindly consider the fact that Community Splunk Experts are trying to help you out with their Splunk experience alone without having access to your Splunk System and Data and sometimes even without having access to any Splunk instance at all.
Having said these can I also request you to re-post your current searches for Table A and Table B, with the code button 101010
in the Comment Box on Splunk Answers. Since you have some special characters in your code your SPL is not getting posted correctly.
hey ts_ame_tfo_cty ,
If your second table contain one more column with proper value then you can try above query.
Thank you for you answer but it's not workin 😞
index="backup_script" conf_brand=ios OR conf_brand=nxos
| rex field=conf_hostname "(?P^[^.]+)"
| eval status = "Device not sending logs to splunk"
| table hostname status
| dedup hostname | where like(hostname,"%"+"tor-rt-"+"%")
| join type=outer hostname [ search index="backup_script" conf_brand=ios OR conf_brand=nxos
| rex field=conf_hostname "(?P<host>^[^.]+)"
| stats count by host
| eval backup_hostname=host+"*"
| table backup_hostname
| where like(backup_hostname,"%"+"tor-rt-"+"%")
| map [ search eventtype=cisco_ios host=$backup_hostname$
| eval final_hostname = $backup_hostname$
| rex field=final_hostname "(?P<hostname>^[^*]+)"
| table hostname
| dedup hostname ] maxsearches=1000]
|fillnull value="NULL" status | where status="NULL"