Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to combine Multiple joins with subsearch?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ravikanthbadugu
New Member
12-03-2019
01:34 AM
Hi ,
I have 3 joins with subsearch ,how can I combine those 3 joins and make as one join?
join new1 max=0 [search index=abc Source=WeeklyData earliest=@d+07h+30m latest=@d+14h+30m |rename xy AS new1, ExtraInfo AS "cd"]|rename new1 AS new2
|join new2 max=0 [search index=abc Source=WeeklyData earliest=@d+14h+30m latest=@d+16h+30m |rename xy AS new2, ExtraInfo AS "ef"]|rename new2 AS new3
| join new3 max=0 [search index=abc Source=WeeklyData earliest=-1d@d+16h+30m latest=@d+16h+30m |rename CurrentMouseName AS new3, _time AS "newtime", ExtraInfo AS "newinfo"]|table new3 oldInfo3 newinfo newtime
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
12-03-2019
10:33 PM
Try this:
(index=abc Source=WeeklyData earliest=@d+07h+30m latest=@d+14h+30m) OR
(index=abc Source=WeeklyData earliest=@d+14h+30m latest=@d+16h+30m) OR
(index=abc Source=WeeklyData earliest=-1d@d+16h+30m latest=@d+16h+30m)
| eval which=case(
_time>=relative_time(now(), "@d+07h+30m") AND _time<=relative_time(now(), "@d+14h+30m"), "src1",
_time>=relative_time(now(), "@d+14h+30m") AND _time<=relative_time(now(), "@d+16h+30m"), "src2",
true(), "src3")
| eval joiner = if(which=="src3", CurrentMouseName, xy)
| eval cd = if(which=="src1", ExtraInfo, null())
| eval ef = if(which=="src2", ExtraInfo, null())
| eval xy = if(which=="src3", xy, null())
| eval newtime = if(which=="src3", _time, null())
| fields - _* ExtraInfo
| stats values(*) AS * BY joiner
| table joiner oldInfo3 newinfo newtime
You might also do well to check out timewrap:
https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Timewrap
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
12-03-2019
10:33 PM
Try this:
(index=abc Source=WeeklyData earliest=@d+07h+30m latest=@d+14h+30m) OR
(index=abc Source=WeeklyData earliest=@d+14h+30m latest=@d+16h+30m) OR
(index=abc Source=WeeklyData earliest=-1d@d+16h+30m latest=@d+16h+30m)
| eval which=case(
_time>=relative_time(now(), "@d+07h+30m") AND _time<=relative_time(now(), "@d+14h+30m"), "src1",
_time>=relative_time(now(), "@d+14h+30m") AND _time<=relative_time(now(), "@d+16h+30m"), "src2",
true(), "src3")
| eval joiner = if(which=="src3", CurrentMouseName, xy)
| eval cd = if(which=="src1", ExtraInfo, null())
| eval ef = if(which=="src2", ExtraInfo, null())
| eval xy = if(which=="src3", xy, null())
| eval newtime = if(which=="src3", _time, null())
| fields - _* ExtraInfo
| stats values(*) AS * BY joiner
| table joiner oldInfo3 newinfo newtime
You might also do well to check out timewrap:
https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Timewrap
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
12-11-2019
09:27 AM
The key thing is to avoid BOTH join and subsearch, which is generally possible, like I did here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ravikanthbadugu
New Member
12-14-2019
01:36 AM
Hi When I am running the query I am getting this error
Error in 'eval' command: The expression is malformed. Expected ).
Please help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
12-14-2019
07:41 AM
I was missing two ); I re-edited and tested it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mstark31
Path Finder
12-03-2019
07:30 AM
Why have you decided to use 3 joins?
From what I can tell, it looks like the major difference between the 3 different subsearches is the time window. Would it be possible to use an if or case statement to rename fields based on when the events occur?
An example:
| eval TimeDiv1_Start = relative_time(now(), "@d+7h+30m")
| eval TimeDiv1_End = relative_time(now(), "@d+14h+30m")
| eval TimeDiv2_Start = relative_time(now(), "@d+14h+30m")
| eval TimeDiv2_End = relative_time(now(), "@d+16h+30m")
| eval TimeDiv3_Start = relative_time(now(), "-1d@d+16h+30m")
| eval TimeDiv3_End = relative_time(now(), "@d+16h+30m")
| eval TimeDiff = now() - _time
| eval TimeGroup = case((TimeDiff >= TimeDiv1_Start AND TimeDiff < TimeDiv1_End), "Bucket1", (TimeDiff >= TimeDiv2_Start AND TimeDiff < TimeDiv2_End), "Bucket2", (TimeDiff >= TimeDiv3_Start AND TimeDiff < TimeDiv2_End), "Bucket1", 1=1, null())
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ravikanthbadugu
New Member
12-03-2019
07:51 AM
Hi
This is query is regarding the Mouse Replacement.
we have bluetooth mouse connected to iMacs, so when the mouse are moved from one desk to another Desk , we need get that of those desk number to where the mouse has moved along with mouse details hence we are using multiple joins to get the data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-03-2019
04:48 PM
If you can provide logs, we can create queries that do not use Join.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-03-2019
07:03 AM
index=abc Source=WeeklyData earliest=-1d@d+16h+30m latest=@d+16h+30m
| eval label=case(relative_time(_time,"@d+07h+30m") <= _time OR _time < relative_time(_time,"@d+14h+30m"),"first"
,relative_time(_time,"@d+14h+30m") <= _time OR _time < relative_time(_time,"@d+16h+30m"), "second")
| eval label2=if(relative_time(_time,"-1d@d+14h+30m") <= _time OR _time < relative_time(_time,"@d+16h+30m"),"third",NULL)
| eventstats dc(label) as label_count values(label2) as label2 by CurrentMouseName ExtraInfo
| where label_cont > 1 AND isnotnull(label2)
| table _time ,CurrentMouseName , ExtraInfo
| rename _time as newTime, CurrentMouseName as new3, ExtraInfo as newInfo
I made it without join.
I am not sure oldInfo3 field.
Get Updates on the Splunk Community!
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
