topic Re: How to join two searches? in Splunk Search

How to join two searches?

jerrytao — Wed, 19 Jun 2019 15:53:21 GMT

First search:

index=A source="FunctionHandler@*" "ul-ctx-caller-span-id"=null

With this search, I can get several row data with different methods in the field ul-log-data.method, so the table will be:

ul-ctx-head-span-id | ul-log-data.method
------------A-----------|---------------1-------------
------------B-----------|---------------2-------------
------------C-----------|---------------3-------------
------------D-----------|---------------2-------------

Second search:

index=A source="FunctionHandler@*" "ul-ctx-caller-span-id"!=null ul-ctx-head-span-id=1-5D0A0438-736C50A33B81102B75CBA44D

With the field "ul-ctx-head-span-id", second search will return 2 row data with different ul-log-data.function, ul-span-duration, so the table will be:

ul-ctx-head-span-id | ul-log-data.function|ul-span-duration
------------A-----------|---------------get------------- |--------xx-----------
------------A-----------|---------------post--------------|--------xx---------

Please note: the second search depends on the field "ul-ctx-head-span-id" in the result of first search.

Finally, I want get a table like below:

ul-ctx-head-span-id | ul-log-data.method | ul-log-data.function|ul-span-duration
------------A-----------|---------------1-------------|-----------get------------ |--------xx-----------
------------A-----------|---------------1-------------|-----------post---------- |--------xx----------
------------B-----------|---------------2-------------|-----------get------------ |--------xx-----------
------------B-----------|---------------2-------------|-----------post---------- |--------xx----------
------------C-----------|---------------3-------------|-----------get------------ |--------xx-----------
------------C-----------|---------------3-------------|-----------post---------- |--------xx----------
------------D-----------|---------------2-------------|-----------get------------ |--------xx-----------
------------D-----------|---------------2-------------|-----------post---------- |--------xx----------

It means if I get 4 row data in first search, then after join, I need show 8 row data

Forgive my poor English, can someone help on this?
Thanks in advance

Re: How to join two searches?

jnudell_2 — Wed, 19 Jun 2019 17:15:28 GMT

Hi @jerrytao ,

The easiest way to do this would be to use a join command:

index=cosv2 ul-ctx-source=c4rupgrd source="FunctionHandler@*" "ul-ctx-caller-span-id"!=null "ul-log-data.function"="GetRemainingAsync" OR "ul-log-data.http_url"="https://string/validatetoken"
| join ul-ctx-head-span-id 
   [ search index=cosv2 ul-ctx-source=c4rupgrd source="FunctionHandler@*" "ul-ctx-caller-span-id"=null "ul-log-data.http_url"!="*/health" "ul-log-data.http_url" IN ("https://string/queries*", "https://string/jobs*") ]
| rename ul-log-data.* as *
| replace ... put your replace stuff here ...        
| eval function = tostring(function) . "___" . tostring(http_url)
| table _time ul-ctx-head-span-id http_url function ul-span-duration

Try that and see if you get the results you're looking for.

Edit: Another way to accomplish this:

(index=cosv2 ul-ctx-source=c4rupgrd source="FunctionHandler@*")  ( ("ul-ctx-caller-span-id"=null) OR ("ul-ctx-caller-span-id"!=null "ul-log-data.method"="*") )
| eval func_dur = 'ul-log-data.function' . "|" . 'ul-span-duration'
| stats values(ul-log-data.method) as ul-log-data.method values(func_dur) as func_dur by ul-ctx-head-span-id
| mvexpand func_dur
| eval ul-log-data.function = mvindex(split(func_dur, "|"), 0), ul-span-duration = mvindex(split(func_dur, "|"), 1)
| table ul-ctx-head-span-id ul-log-data.method ul-log-data.function ul-span-duration

Re: How to join two searches?

jerrytao — Thu, 20 Jun 2019 15:49:43 GMT

Hi @jnudell_2 , thanks for help, unfortunately, it doesn't work as my expectation.
In my example, I need show 8 rows if first search returns 4 rows, but with your command, it only returns 4 rows whose ul-log-data.function is "get".
I update the request to make it much clearer, could you help to take a look? Thanks.

Re: How to join two searches?

jnudell_2 — Thu, 20 Jun 2019 16:02:43 GMT

Can you provide some sample data in non-formatted view (raw json)? If I had some sample data, I could put something together for you.

Re: How to join two searches?

jnudell_2 — Thu, 20 Jun 2019 16:28:30 GMT

Sorry, the join was wrong also... I have updated it above.

Re: How to join two searches?

jerrytao — Wed, 30 Sep 2020 01:01:11 GMT

@jnudell_2 , thanks for your quick response!
Actually, there are other filter rules in ul-log-data, so I simplified the description in the post. But I don't know how to process your command with other filters.
So I attached new screenshot with 2 single search results, hopes it can help to make the problem clearer. And I hided some private information, sorry for this.

And for the second search, do you have better way to combine the function? as the original result is
id | function1 | function2
--A-- GetRemainingAsync---(null)--
--A--------(null)----|------outgoing-----

Re: How to join two searches?

Vijeta — Thu, 20 Jun 2019 19:27:13 GMT

@jerrytao Try below

index=cosv2 ul-ctx-source=c4rupgrd source="FunctionHandler@*" "ul-ctx-caller-span-id"!=null ul-ctx-head-span-id=1-5D0A0438-736C50A33B81102B75CBA44D | join ul-ctx-head-span-id [search index=cosv2 ul-ctx-source=c4rupgrd source="FunctionHandler@*" "ul-ctx-caller-span-id"=null| fields ul-ctx-caller-span-id , ul-log-data.method] | table  ul-ctx-head-span-id ul-log-data.method ul-log-data.function ul-span-duration

Re: How to join two searches?

jerrytao — Thu, 20 Jun 2019 23:57:35 GMT

@Vijeta , I need join the result of second search for every ul-ctx-head-span-id, not only that single one. So I should not see "ul-ctx-head-span-id=1-5D0A0438-736C50A33B81102B75CBA44D". You can refer to newly added screenshot "full.PNG". Thanks for reply.

Re: How to join two searches?

marco1987 — Fri, 21 Jun 2019 15:43:48 GMT

Hi @jerrytao,
consider your Search1 with table result -> *A | B* and your Search2 with table result -> A | C | D, try this below to join table result -> A| B |C |D

  Search1
     |append[Search2]
     |stats values(B) as B values(C) as C values(D) as D by A

Re: How to join two searches?

jnudell_2 — Fri, 21 Jun 2019 15:43:54 GMT

I've updated the answer to reflect your additional data.

Re: How to join two searches?

jerrytao — Mon, 24 Jun 2019 05:44:00 GMT

@jnudell_2 , thank you so much! It works after reverse this 2 searches.

Re: How to join two searches?

woodcock — Mon, 24 Jun 2019 17:37:16 GMT

Are you using the join one or the other one?