- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Outer Join not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have data in a CSV called 25_million_Linie_Rule.csv (example below)
host,source,count
"INTERFACES_BUILD","/hp547srv1/apps/INTERFACES_BUILD/logs/traces/mxtiming_956675_hp547srv.fr.murex.com_**1254**.log",31436700
I also have data in real time.
If the data in rela time is the same as the .csv i don'twant to report it . So an outer join is needed, but i cant get it to work.
| tstats count where index="mlc_live" OR index="mxtiming_live" by host source
| dedup source
| sort 0 - count
| head 10
| where count > 25000000
| table host source count
| join type=outer source
[| inputlookup 25_million_Linie_Rule.csv ]
OUTPUT is below (However i get a line i already have in the csv, i should only get one line, the new line not the one i have in the .csv )
host source count
INTERFACES_BUILD /hp547srv1/apps/INTERFACES_BUILD/logs/traces/mxtiming_956675_hp547srv.fr.murex.com_**1254**.log 31436700
INTERFACES_BUILD /hp547srv1/apps/INTERFACES_BUILD/logs/traces/mxtiming_956678_hp547srv.fr.murex.com_**1992**.log 26617140
Any help would be great
Rob
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| tstats count where index="mlc_live" OR index="mxtiming_live" by host source
| dedup source
| sort 0 - count
| head 10
| where count > 25000000
| table host source count
| join type=outer source
[| inputlookup 25_million_Linie_Rule.csv
| eval csv=1]
| where isnull(csv)
| table host source count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| tstats count where index="mlc_live" OR index="mxtiming_live" by host source
| dedup source
| sort 0 - count
| head 10
| where count > 25000000
| table host source count
| join type=outer source
[| inputlookup 25_million_Linie_Rule.csv
| eval csv=1]
| where isnull(csv)
| table host source count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Brill - thanks 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the replay,
but i get
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry, @robertlynch2020
I forgot to erase it. my answer is updated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the join is working as intended. Because the same event that lives in your 25_million_Linie_Rule.csv also would be found in your real-time main search. Doing the join should not remove events found in your main search that match those events in your 25_million_Linie_Rule.csv as I think you want.
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
