All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Left Join for two searches resulting fewer values and some are leaving empty

gayatrigouni
New Member
‎09-10-2019 12:11 PM

index=ecto_edpgs_grrs sourcetype=ecto_application "Successfully logged in" Login !="ALL" |table Login,_time|dedup Login|sort _time desc

| join type=left Login overwrite=false max=0
[search index= ecto_edpgs_grrs sourcetype=ecto_person WKR_EMP_STA_CD !="T"|dedup WKR_STD_ID|rename WKR_STD_ID as Login|rename WKR_FLL_NM as UserName|table Login,UserName,WKR_EMP_STA_CD ] | table Login,UserName,WKR_EMP_STA_CD,_time

Not pulling all the records (Usernames from right table)

please advise

Tags (1)
0 Karma
Reply

zacharychristen
Path Finder
‎09-10-2019 09:08 PM

Joins don't always behave as expected. You are joining on the "Login" field which means the first occurrence of Login will be pulled into your main search. If Login in your subsearch exists multiple times with different usernames for each one, this poses a problem as now those logs will not be pulling in.

A better way is to avoid joins. They typically lead to unexpected behavior and poor search performance. Alternatively, stats can be used.

I haven't tested this, as I don't have your data. But try this out:

index=ecto_edpgs_grrs ((sourcetype=ecto_application "Successfully logged in" Login!="ALL") OR (sourcetype=ecto_person WKR_EMP_STA_CD !="T"))
| rename WKR_STD_ID as Login, WKR_FLL_NM as UserName
| eval left_join_filter=if(sourcetype=="ecto_application",1,0)
| stats values(UserName) as UserName, values(WKR_EMP_STA_CD) as WKR_EMP_STA_CD, values(_time) as _time, sum(left_join_filter) as left_join_filter by Login
| where left_join_filter>0
| fields - left_join_filter

In short, this pulls your sub-search into the base search. Then, after keeping your renamed fields, applies a filter to mimic a left-join. Since all a left join is doing is appending to the base search where there is a match on Login. Then with stats we group by Login and afterwards filter to keep only the events from the base search that match Login.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...