Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Left join not working

angadbagga
Explorer
‎08-03-2020 04:06 PM

HI

I have a query like below. Can i use something else than join 

index=hello sourcetype="logs A" source="C:\\football\ab*"  OR source="C:\\Tennis\cd*" OR source="C:\\Cricket\eb*" 
| rex (something)
|eval (something)
| join type=left
[search sourcetype = "logs B" source="C:\\football\ab*"  OR source="C:\\Tennis\cd*" OR source="C:\\Cricket\eb*" 
|rex (something)
|eval (somthing)]
table 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-03-2020 08:05 PM

If both independent searches work and there is a common 'Steel' to join on, then the search looks ok. What is the size of the data set and what results (if any) do you get.

However, to answer your question, yes you can always use something other than join (and probably should)

index=abc ((sourcetype="xyz" "efp") OR (sourcetype="ufh" "stn")) source="hello1" OR source="hello2*" OR source="hello3*"
| rex field=source (?<Tweet>"\b\w{2}\b")
| eval Steel = case(Tweet == "EV", "Steel1", Tweet == "SV", "Steel2")
| table Tweet Steel _time
| eval CompletionTime_Dep=if(sourcetype="xyz", _time, null())
| eval CompletionTime_CD=if(sourcetype="ufh", _time, null())
| convert ctime(CompletionTime_Dep)
| convert ctime(CompletionTime_CD)
| stats values(CompletionTime_*) as CompletionTime_* by Tweet Steel

However, in your example, will you have many rows where Steel has the same value (Steel1/Steel2)?

If so, then is the original intention of the join to bring all sub matches from the subsearch to each of the outer rows.  If so, then the above 'stats' may not be what you intended.

 

View solution in original post

Reply
Solved! Jump to solution

angadbagga
Explorer
‎08-03-2020 04:16 PM

I want different _time values for both the source types "logsA" and "logsB" in the tabe

0 Karma
Reply
Solved! Jump to solution

diogofgm
SplunkTrust
SplunkTrust
‎08-03-2020 05:23 PM

Hi angadbagga

Can you share more details? What's the format/fields of you data? What's the expected output? Have you tried to state field you want to join?

 

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

angadbagga
Explorer
‎08-03-2020 05:49 PM

Hi

Yes, i tried to state the field i wanted to join.  I am writing this query with dummy fields.  In short there are two source types and i want CompletionTime_Dep and CompletionTime_CD in the final table

 


index=abc sourcetype="xyz" "efp" source="hello1" OR source="hello2*" OR source="hello3*"
| rex field=source (?<Tweet>"\b\w{2}\b")
| eval Steel = case(Tweet == "EV", "Steel1", Tweet == "SV", "Steel2")
| table Tweet Steel _time
| rename _time as CompletionTime_Dep
| convert ctime(CompletionTime_Dep)
| join Steel type=left
[ search sourcetype="ufh" "stn" source="hello1" OR source="hello2*" OR source="hello3*"
rex field=source (?<Tweet>"\b\w{2}\b")
| eval Steel = case(Tweet == "EV", "Steel1", Tweet == "SV", "Steel2")
| table Tweet Steel _time
| rename _time as CompletionTime_CD
| convert ctime(CompletionTime_CD)]

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-03-2020 08:05 PM

If both independent searches work and there is a common 'Steel' to join on, then the search looks ok. What is the size of the data set and what results (if any) do you get.

However, to answer your question, yes you can always use something other than join (and probably should)

index=abc ((sourcetype="xyz" "efp") OR (sourcetype="ufh" "stn")) source="hello1" OR source="hello2*" OR source="hello3*"
| rex field=source (?<Tweet>"\b\w{2}\b")
| eval Steel = case(Tweet == "EV", "Steel1", Tweet == "SV", "Steel2")
| table Tweet Steel _time
| eval CompletionTime_Dep=if(sourcetype="xyz", _time, null())
| eval CompletionTime_CD=if(sourcetype="ufh", _time, null())
| convert ctime(CompletionTime_Dep)
| convert ctime(CompletionTime_CD)
| stats values(CompletionTime_*) as CompletionTime_* by Tweet Steel

However, in your example, will you have many rows where Steel has the same value (Steel1/Steel2)?

If so, then is the original intention of the join to bring all sub matches from the subsearch to each of the outer rows.  If so, then the above 'stats' may not be what you intended.

 

Reply
Solved! Jump to solution

angadbagga
Explorer
‎08-22-2020 08:39 PM

Thanks!!

0 Karma
Reply
Solved! Jump to solution

aa70627
Communicator
‎08-22-2020 05:09 PM

I would recommend going with @bowesmana  solution instead of a left join. Left joins in splunk is more problems than its worth. 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...