topic Re: How to combine my two search queries using join or subsearch? in Splunk Search

How to combine my two search queries using join or subsearch?

allladin101 — Mon, 03 Nov 2014 18:07:44 GMT

Hi,

I have 2 queries which do not have anything in common, how ever i wish to join them can somebody help :

query 1 :

index=whatever* tms_action="*someaction*"| rex "'(?[^']+)\s*' .*"| table userhandle tms_blob_type
| join userhandle [search index=summary source=*Username* 
| table userhandle user company]

query 2:

index=whatever* sourcetype=server "_DATE_FROM_IN =*" "*_DATE_TO_IN =*" |REGEX _DATE_TO_IN ="'\d+'" | rex field= "_DATE_FROM_IN (?<_DATE_FROM_IN>.*)"|rex field= "_DATE_TO_IN (?<_DATE_TO_IN>.*)"| table _DATE_TO_IN _DATE_FROM_IN

The only way to manually join them is as shown below over the userhandle field:

index=whatever2 _threadid=12128 host=whatever18 Starting handle blob earliest=1415036143.447343 latest=1415036623.447343 | eval tdiff=_time-strptime("2014november3 17:39:43.447343","%Y%B%e %H:%M:%S.%6N")  | search tdiff<0  | sort -tdiff  | head 1  | rex field=_raw " for '(?[^']*)'"  | rename _blob_type  AS ThreadAction  | table _time userhandle ThreadAction

is there a way to do it by a join or subquery or something ?

Plesae help.

Re: How to combine my two search queries using join or subsearch?

vasanthmss — Mon, 03 Nov 2014 20:18:36 GMT

Try this,

index=whatever* (sourcetype=server "_DATE_FROM_IN =*" "*_DATE_TO_IN =*") OR (tms_action="*someaction*")  | rex "'(?[^']+)\s*' .*" |REGEX _DATE_TO_IN ="'\d+'" | rex field= "_DATE_FROM_IN (?<_DATE_FROM_IN>.*)"|rex field= "_DATE_TO_IN (?<_DATE_TO_IN>.*)"  | table userhandle tms_blob_type _DATE_TO_IN _DATE_FROM_IN  | join userhandle [search index=summary source=*Username* | table userhandle user company]

Re: How to combine my two search queries using join or subsearch?

allladin101 — Mon, 28 Sep 2020 18:04:36 GMT

It says that - Error in 'rex' command: Encountered the following error while compiling the regex ''(?[^']+)\s*' .*': Regex: unrecognized character after (? or (?-

also the query is not returning a table .. please help

even this part is not working :

index=tms_uat* (sourcetype=tms_server "DEAL_DATE_FROM_IN =" "*DEAL_DATE_TO_IN =") OR (tms_action="DS::QueryDealMessage3") |rex "'(?['^']+)\s*' ."|REGEX DEAL_DATE_TO_IN ="'\d+'" | rex field= "DEAL_DATE_FROM_IN (?.)"|rex field= "DEAL_DATE_TO_IN (?.*)" | table ULH tms_blob_type DEAL_DATE_TO_IN DEAL_DATE_FROM_IN

Re: How to combine my two search queries using join or subsearch?

davebrooking — Tue, 04 Nov 2014 11:20:57 GMT

Is there something missing from the rex command you posted in query1 in the original question?

I think the supplied answer is trying to use the same rex command as shown in query 1 from the original question.

Re: How to combine my two search queries using join or subsearch?

MuS — Tue, 04 Nov 2014 11:33:26 GMT

because this is not the answer to your question I will post it as comment:

Maybe you will have a look at this answer http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html to get an idea how to do it without the use of join or any subsearch

Re: How to combine my two search queries using join or subsearch?

tachifelix — Fri, 12 Dec 2014 11:15:43 GMT

try to use this subsearch in your search string

index=whatever* tms_action="*someaction*"| rex "'(?P<FIELDNAME>[^']+)\s*' .*"| join userhandle [search index=summary source=*Username*]|join [search  index=whatever* sourcetype=server "_DATE_FROM_IN =*" "*_DATE_TO_IN =*" |rex   "(?P<DATE_TO_IN>)'\d+'" | rex field=DATE_TO_IN  "_DATE_FROM_IN (?<_DATE_FROM_IN>.*)"|table  userhandle user company _DATE_TO_IN _DATE_FROM_IN

Re: How to combine my two search queries using join or subsearch?

lakromani — Wed, 12 Oct 2016 17:11:18 GMT

You are trying to add it to a dashboard. Instead of "<" and ">" user "<" and ">"