topic Re: join command in splunk in Splunk Search

join command in splunk

splunkn — Mon, 28 Sep 2020 19:45:37 GMT

Hi ,

I need to extract the host list which are belonging to certain applications ( Listed in my Lookup table )
Need to find which hosts are getting connected to Deployment server and after that need to pick out the hosts which are present in the lookup table. I have used join in my query. It works fine.

index=internal host=abcsdf "/services/broker/phonehome/connection" | rex "(?i)^(?:[^.]*.){10}\d+(?P<remote_host>.+?)" | rex "(?i).com(?P<remote_host>.+?)_" | dedup remote_host |rename remote_host as hostname| join hostname[|inputlookup applist] | stats distinct_count(hostname)

Any alternate idea to this?
Will join consume more time to run?

Thanks in advance

Re: join command in splunk

stephanefotso — Thu, 07 May 2015 12:23:08 GMT

Yes join consume more time to run. I think you will be interested by the link bellow:

http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html

Re: join command in splunk

splunkn — Thu, 07 May 2015 13:07:30 GMT

Stephane,,
Many Thanks and could you please explain a bit to compare events with lookup table as in my scenario.

Re: join command in splunk

stephanefotso — Mon, 28 Sep 2020 19:45:51 GMT

ok. in your case that is what you could do to avoid join:

index=internal host=abcsdf "/services/broker/phonehome/connection" | rex "(?i)^(?:[^.]*.){10}d+(?P<remote_host>.+?)" | rex "(?i).com(?P<remote_host>.+?)_" | dedup remote_host |rename remote_host as hostname| lookup applist.csv hostname| stats distinct_count(hostname)