Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

query using join

cevyn
Explorer
‎02-19-2014 08:35 AM

Trying to combine two logs .
Using this query to get a list of items from user log

source="/opt/mysplunk.log" earliest=-14days "logid=store-stuff" | eval storecode = substr(site,1,4) | top 3 storecode | FIELDS - count percent

that gives me a short list of
storecode

1 1234

2 6789

And the | FIELDS – count percent removes those extra fields so I just get my entries of 1234 6789
This also proves my substring is right because I’m catching the string I expect.
Now I try to feed that into a network log to catch possible related causes that show up there

source="/usr/local/nagios/var/nagios.log" earliest=-14days | join [ search source="/opt/mysplunk.log" earliest=-14days "logid=store-stuff" | eval storecode = substr(site,1,4) | top 3 storecode | FIELDS - count percent]

but the result seems to match 50k records that don’t have my identifiers of 1234 or 6789 in them .

What am I doing wrong or what debugging method in splunk do I use to figure out what it is really matching on? What is it actually piping through?
This is my first venture into join commands in splunk queries

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-19-2014 09:16 AM

Based on your comment, here's how you generically search in source A based on the top three values of somefield from source B:

source=A [search source=B | top 3 somefield | return 3 somefield]

Under the hood Splunk will first run the subsearch, translate the results to ((somefield="value1") OR (somefield="value2") OR (somefield="value3")), and then run the main search with that filter added.

If source A does not have a field called somefield you can search its raw text by adding a dollar sign in the return command like so: ... | return 3 $somefield. If the field is called something else in source A you can rename it on the fly like so: ... | return 3 otherfield=somfield.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-19-2014 12:01 PM

Like I said in the answer, put a dollar sign in front of the field in the return command like this:

... | return 3 $otherfield

That will yield (("value1") OR ("value2") OR ("value3")) as a filter for the main search.

0 Karma
Reply

cevyn
Explorer
‎02-19-2014 11:53 AM

You have been very generous. My query is close but I get no results. If I look at the job inspect function and look at subsearch it shows storecode="1234" when I think want it to just be "1234" (storecode being a variable I made up for the EVAL). Sorry I'm spending a lot of time getting used to the syntax . How do I drop the storecode= out .

I tried things like value(storecode) but have obviously not found the right thing. I feel like I'm trying to discuss philosophy in french and only have the vocabulary to say hello! thanks again.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-19-2014 10:03 AM

Remove the pipe before the opening square bracket.

0 Karma
Reply

cevyn
Explorer
‎02-19-2014 09:34 AM

so I changed it to source="/usr/local/nagios/var/nagios.log" earliest=-14days | [ search source="/opt/mysplunk.log" earliest=-14days "logid=store-stuff" | eval storecode = substr(site,1,4) | top 3 storecode | return 3 storecode ]

I get "Subsearches are only valid as arguments to commands." Perhaps i misunderstood your suggestion?

0 Karma
Reply

cevyn
Explorer
‎02-19-2014 09:10 AM

So clearly your questions have revealed my limited splunk query experience. The response that asked about literal search best understood my failings. yes I want to go to nagios with the results of 1234 or 6789 in my example. STORECODE was a literal I made up to capture the result of my substr. Thanks for your persistence with my initial note.

0 Karma
Reply

somesoni2
Revered Legend
‎02-19-2014 08:50 AM

does your source nagios.log have a field called storecode or your just want to do literal search for your storecode in the nagios.log events?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-19-2014 08:47 AM

Are you sure you're trying to perform a join? Usually you have one (or more) join columns/fields and one (or more) other columns/fields that get added in the join... but your subsearch only yields one column.

Maybe you're trying to filter the nagios source by results from the mysplunk source?

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎02-19-2014 08:40 AM

You can see what is being returned if you use the search job inspector - it will have an entry like subsearch returned that should fill you in on what came through

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...