- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Join not working with sub search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Join is not returning the data with subsearch, I tried many options from other answers but nothing working out.
Target is to check how many departments are using latest version of some software compare to all older versions together.
My search query
index=abc version!="2.0" | dedup version thumb_print | stats count(thumb_print) as OLD_RUNS by department | join department [search index=abc version="2.0" | dedup version thumb_print | stats count(thumb_print) as NEW_RUNS by department ] | eval total=OLD_RUNS + NEW_RUNS| fillnull value=0 | eval perc=((NEW_RUNS/total)*100) | eval department=substr(department, 1, 50) | eval perc=round(perc, 2) | table department OLD_RUNS NEW_RUNS perc | sort -percOverall this search over 1 week time period expected to return more than 100k events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you even try my solution?
Here is a runanywhere example showing it working with dummy data
| makeresults count=100
| fields - _time
| eval department="Department ".mvindex(split("ABCDE",""),random()%5)
| eval version=round(random()%3,1)
| eval thumb_print=random()%10
``` The lines above create some dummy data and can be replaced by your index search ```
| dedup version thumb_print department
| eval version=if(version="2.0","NEW_RUNS","OLD_RUNS")
| chart count(thumb_print) by department version
| fillnull value=0
| eval total=NEW_RUNS+OLD_RUNS
| eval perc=round(100*NEW_RUNS/total,2)
| eval department=substr(department, 1, 50)
| table department OLD_RUNS NEW_RUNS perc
| sort -perc- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There was issue with key department for older version, after correcting that using eval, both solutions worked.
thanks a lot guys.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks @PaulPanther @ITWhisperer
Issue is still there with Output
department OLD_RUNS NEW_RUNS total PERC
--------------------------------------------------------------------------
Department1 10 0 10 0%
Department1 0 20 20 100%
Basically old and new count of same department not in same row so with respect to new runs all percentage comes as 100% as old runs shows as 0.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you even try my solution?
Here is a runanywhere example showing it working with dummy data
| makeresults count=100
| fields - _time
| eval department="Department ".mvindex(split("ABCDE",""),random()%5)
| eval version=round(random()%3,1)
| eval thumb_print=random()%10
``` The lines above create some dummy data and can be replaced by your index search ```
| dedup version thumb_print department
| eval version=if(version="2.0","NEW_RUNS","OLD_RUNS")
| chart count(thumb_print) by department version
| fillnull value=0
| eval total=NEW_RUNS+OLD_RUNS
| eval perc=round(100*NEW_RUNS/total,2)
| eval department=substr(department, 1, 50)
| table department OLD_RUNS NEW_RUNS perc
| sort -perc- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes @ITWhisperer
I tried, let me check my data again if something missing in events or try with the data you have generated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Paul,
Thanks for help. But this still has some issues.
Output
department OLD_RUNS NEW_RUNS total PERC
--------------------------------------------------------------------------
Department1 10 0 10 0%
Department1 0 20 20 100%
Basically old and new count of same department not in same row so with respect to new runs all percentage comes as 100% as old runs shows as 0.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, made a mistake with the calculation of totals. I adjusted the search in my previous answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Subsearches are limited to 50k events which is one of the issues with using joins. Also, your dedup seems to ignore whether more than one department has the same version and thumb_print (of course, unless thumb_prints or versions are unique to department). Try something like this
index=abc
| dedup version thumb_print department
| eval version=if(version="2.0","NEW_RUNS","OLD_RUNS")
| chart count(thumb_print) by department version
| fillnull value=0
| eval total=NEW_RUNS+OLD_RUNS
| eval perc=round(100*NEW_RUNS/total,2)
| eval department=substr(department, 1, 50)
| table department OLD_RUNS NEW_RUNS perc
| sort -perc- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=abc
| dedup version thumb_print
| stats count(eval(if(version!="2.0",thumb_print,null()))) as OLD_RUNS count(eval(if(version="2.0",thumb_print,null()))) as NEW_RUNS by department
| fillnull value=0
| eval total=NEW_RUNS+OLD_RUNS
| eval perc=((NEW_RUNS/total)*100)
| eval department=substr(department, 1, 50)
| eval perc=round(perc, 2)
| sort -perc
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
