Solved: Re: How to "join" two different searches with no c...

CarmineCalo · ‎01-18-2018

Splunkers!

I need to join the follow inputlookup + event searche in order to have, for each AppID, the full set of month buckets given from the time range picker
Example:

Search 1 (Fromm inputlookup):
App1
App2
...

Search 2 (from index search)
Month 1
Month 2
...

Desired outcome:

App1 Month1
App1 Month2
App1 ...
App2 Month1
App2 Month2
App2 ...
... ...

Here the code for the two searches

Search 1

| inputlookup DOM_ApplicationCatalogue
| search Status="Production"

| stats count by ApplicationID

Search 2
| search index=Incidents
| dedup id_inc
| timechart span=1mon count
| eval datemonth_year=strftime(_time,"%Y-%m")
| fields count datemonth_year]

Any help?

Tks!
Carmine

mayurr98 · ‎01-18-2018

you can try something like

| inputlookup DOM_ApplicationCatalogue 
| search Status="Production" 
| stats count by ApplicationID 
| appendcols 
    [ search index=Incidents 
    | dedup id_inc 
    | timechart span=1mon count 
    | eval datemonth_year=strftime(_time,"%Y-%m") 
    | fields count datemonth_year]

let me know if this helps !

View solution in original post

mayurr98 · ‎01-18-2018

you can try something like

| inputlookup DOM_ApplicationCatalogue 
| search Status="Production" 
| stats count by ApplicationID 
| appendcols 
    [ search index=Incidents 
    | dedup id_inc 
    | timechart span=1mon count 
    | eval datemonth_year=strftime(_time,"%Y-%m") 
    | fields count datemonth_year]

let me know if this helps !

CarmineCalo · ‎01-18-2018

No, unfortunately it's not working...

It generate something like (hyp that Month = (Month 1, Month 2)

App1 Month 1
App2 Month 2
App3
App4
...

Carmine

mayurr98 · ‎01-18-2018

if you are interested in just desired outcome then you can try something like this I may be wrong...but you will not be able to show count in this because logically linking count is not possible i think

app1 month1
app1 month2
app2 month1
app2 month2
..and so on

| inputlookup DOM_ApplicationCatalogue 
| search Status="Production" 
| stats count by ApplicationID 
| fields ApplicationID 
| appendcols 
    [ search index=Incidents 
    | dedup id_inc 
    | timechart span=1mon count 
    | eval datemonth_year=strftime(_time,"%Y-%m") 
    | fields datemonth_year ] 
| stats list(ApplicationID) as ApplicationID list(datemonth_year) as datemonth_year 
| mvexpand ApplicationID 
| mvexpand datemonth_year

let me know if this helps!

CarmineCalo · ‎01-18-2018

Only one additional thing...

list(ApplicationID) create a field with "only" 100 value inside (my list of APpID is 4k+!)
How can i increase the number of values to listed?
Unfortunately "limit" option not works with stats...

mayurr98 · ‎01-18-2018

Hey use values(ApplicationID) as ApplicationID

CarmineCalo · ‎01-18-2018

Great! It works now 🙂

CarmineCalo · ‎01-18-2018

Now It works!
Tks!

How to "join" two different searches with no common fields?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?