- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Creating a join when first search contains mul...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey all, this one has be stumped. I'm trying to join two searches where the first search includes a single field with multiple values. The matching field in the second search ONLY ever contains a single value. The search ONLY returns matches on the join when there are identical values for search 1 and search 2. In other words if search 1 has a field named id, and contains id=a and id=b and the second search contains id=b, no results will be returned. The search will ONLY return results if search 1 contains a single value for id.
Does anyone have any suggestion on how to join a search with multiple values?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@richnavis - If you have multiple values in outer query and single value in inner query also the join condition will work . please take a look into below sample code. kindly replace with a test index in inner query and test it ..
| makeresults
| eval mytrimexaxis =mvappend("1531981800","1531982400","1531982700","1531983000","1531983600")
| mvexpand mytrimexaxis
| table mytrimexaxis
| join type=inner mytrimexaxis [ index=*** (replace with ur tetsing index)
| eval mytrimexaxis="1531981800"
| table mytrimexaxis
]
| table mytrimexaxis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PLease share your query, that way is easier to understand why is not working,
the logic of the join command should be that for each value on search 1 for the specific field you should have results in search 2 with additional information (other fields) .
What do you want to get from search 2 to include on search 1 ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a simplified version of my search. Note, that this doesn't return results the way I would like either. It only returns values where the number of id values are equal, and the id values match
index=myindex "instances{}.id"="" | rename "instances{}.id as id
| join inner id [search index=myindex2 earliest=-1d id=]
The reason for the join is that index2 contains a "name" field that I want to include in my report. both contain ID fields, although I have to rename the one from index1 since it has a different name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Note, there's an asterisk at the end of the equal size in both searches... the html isn't showing it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I know why it's not giving you what you need.
In Search 2 you should include a table or stats of your results .
something like [search index=myindex2 earliest=-1d id=*|stats values(name) as name by id]
This will give you results that search 1 can use
you query should be something like this index=myindex "instances{}.id"="" | rename "instances{}.id as id
| join inner id [search index=myindex2 earliest=-1d id=*|stats values(name) as name by id] | table id name and other fields you want to include
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@richnavis - If you have multiple values in outer query and single value in inner query also the join condition will work . please take a look into below sample code. kindly replace with a test index in inner query and test it ..
| makeresults
| eval mytrimexaxis =mvappend("1531981800","1531982400","1531982700","1531983000","1531983600")
| mvexpand mytrimexaxis
| table mytrimexaxis
| join type=inner mytrimexaxis [ index=*** (replace with ur tetsing index)
| eval mytrimexaxis="1531981800"
| table mytrimexaxis
]
| table mytrimexaxis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Brilliant! The key to making it work was to add the mvexpand into my first search. I did not realize that this command existed, but once I added that into my first search, the first and second search joined just like I wanted them to. Thanks so much for the help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
shankarananth, if you could convert your comment to an answer, I will accept that as the answer
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
