How to replace join command with any other alternative command for the below query?

pstalin_ — Thu, 03 Dec 2020 04:52:47 GMT

index=105261-cli sourcetype=show_processes_cpu pid=0
| dedup deviceId
| fields deviceId, idle, fiveMinutes
| eval cpuLoad = round(if(isnull(fiveMinutes), 100-idle, fiveMinutes))
| join deviceId
[ search index=105261-np sourcetype=device_details
| fields deviceId, deviceName, productFamily, swVersion ]
| eval Status=if((cpuLoad <85 ), "OK" , "Not OK" )
| table deviceName, productFamily, cpuLoad, swVersion, Status
| sort - cpuLoad

Re: How to replace join command with any other alternative command for the below query?

bowesmana — Thu, 03 Dec 2020 05:06:50 GMT

@pstalin_

This query might do the trick. I believe your dedup will in practice get the most recent event from the cli index for that device, hence the use of latest(*)

(index=105261-cli sourcetype=show_processes_cpu pid=0) OR (index=105261-np sourcetype=device_details) | fields deviceId, idle, fiveMinutes deviceId, deviceName, productFamily, swVersion | stats latest(*) as * by deviceId | eval cpuLoad = round(if(isnull(fiveMinutes), 100-idle, fiveMinutes)) | eval Status=if((cpuLoad <85 ), "OK" , "Not OK" ) | table deviceName, productFamily, cpuLoad, swVersion, Status | sort - cpuLoad

but this

making the two combined searches
limiting fields to those needed from either search
using stats to 'join' the two data sets with latest(*) as * to handle all fields
then doing your post search calcs

Hope this helps.

topic How to replace join command with any other alternative command for the below query? in Splunk Search

How to replace join command with any other alternative command for the below query?

Re: How to replace join command with any other alternative command for the below query?