Archive
Highlighted

Two Queries That Return Results Do not Return Results After Join

I have written two individual queries that both return the expected results.
A.
tag=tag name
location="location name"
message="error message"
status=400
| rex field=raw "string from log (?\w+[@]\S+)@string from log"
| rex field=
raw "_(?\w+)]"

B.
tag=tag name
"string from log"
"\"status\":400"
"string from log"
| rex field=field name "_(?\w+)"

However, when I join the two queries, no results are returned.
C.
tag=tag name
location="location name"
message="error message"
status=400
| rex field=raw "string from log (?\w+[@]\S+)@string from log"
| rex field=
raw "(?\w+)]"
| join type=inner login
dye
[search
tag=tag name
"string from log"
"\"status\":400"
"string from log"
| rex field=field name "(?\w+)"
| eval Date=strftime(
time, "%m-%d-%y")]
| eval useremail="'".useremail."',"
| dedup Date, useremail
| table Date, user
email

The main search returns a large number of results. However, the sub-search returns a relatively small number of results, so the sub-search should not be timing out. I also get no messages indicating such, and no other errors or messages.

Tags (1)
0 Karma
Highlighted

Re: Two Queries That Return Results Do not Return Results After Join

Champion

you are performing an inner type join, which means you are looking only for common results in both the searches.
if you remove your join field login_dye are you receiving results?

0 Karma
Highlighted

Re: Two Queries That Return Results Do not Return Results After Join

thank you sukisen, but i think removing the join would not return the results i need. i only want the subset of the main query that includes the results from the sub query.

tag=tag name
location="location name"
message="error message"
status=400
| rex field=raw "string from log (?\w+[@]\S+)@string from log"
| rex field=raw "(?\w+)]"
| join type=inner login_dye
[search
tag=tag name 
"string from log"
"\"status\":400"
"string from log"
| rex field=field name "(?\w+)"
| eval Date=strftime(_time, "%m-%d-%y")]
| eval user_email="'".user_email."',"
| dedup Date, user_email
| table Date, user_email
0 Karma
Highlighted

Re: Two Queries That Return Results Do not Return Results After Join

Legend

Hi ryanmcdermott1208,
at first check if there are common values in both the searches fir the field logindie.
then try to tranform in uppercase (o lowercase) both the login
die fields and retry.
at least check if the number of results of the subsearch is greater than 50,000, because there's this limit in subsearches.

Anyway, join isn't a performant command, try something different: use stats count.
I could help you but you should copy your searches using the Code Sample button (the one neat the attach button), because otherwise I cannot correctly read your question.

Bye.
Giuseppe

0 Karma
Highlighted

Re: Two Queries That Return Results Do not Return Results After Join

hank you giuseppe. the main query returns over 50k results, but the sub-query does not. i should have included that the values being extracted for "login_dye" are strictly numerical. the value being extracted from the main query matches the value being extracted from the sub-query.

here is the query in code sample:
tag=tagname
location="location name"
message="error message"
status=400
| rex field=raw "string from log (?\w+[@]\S+)@string from log"
| rex field=raw "(?\w+)]"
| join type=inner logindye
[search
tag=tag name
"string from log"
"\"status\":400"
"string from log"
| rex field=field name "(?\w+)"
| eval Date=strftime(
time, "%m-%d-%y")]
| eval useremail="'".useremail."',"
| dedup Date, useremail
| table Date, user
email

0 Karma