Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I not able to use join, subsearch, and lookup properly?

mohammadsharukh
Path Finder
‎09-05-2022 07:52 AM

Task:- Need to identify what all Mcafee A.V agents have latest updates happening

work done:-

1)Created a lookup and added all the unique source IP, total 54

2) Created a search to lookup for only the mcafee agents that have been updated and added a value 0 for tracking and then used join statement to merget it with lookup created earlier with value 1.

Problem statement:- I am looking for srcip/agents that are not update i.e not present in the logs but present in the lookup and its not showing me the result but when i want to do the otherway around i.e looking for common srcip/agent in both lookup and search logs. PFA snaps

Please help me rectify the query as per snap 2:- Non common valuescommmon entrycommmon entrynon common entrynon common entrylookup valuelookup value

Please refer the 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2022 08:14 AM 
<your index search>
| stats count by src_ip
| eval value=1
| fields src_ip value
| append
  [| inputlookup abc.csv
   | eval value=2]
| stats sum(value) as value by src_ip
| where value=2

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2022 08:14 AM 
<your index search>
| stats count by src_ip
| eval value=1
| fields src_ip value
| append
  [| inputlookup abc.csv
   | eval value=2]
| stats sum(value) as value by src_ip
| where value=2
Reply
Solved! Jump to solution

mohammadsharukh
Path Finder
‎09-05-2022 10:59 PM

Dear ITWhisper,

Your sol. Sovled my problem but still i have 3 doubt.

1) Whats the difference between join and append commad?

2) For me, why my previous query with join command was not working? 

3) the sol. You provided is there any limitations with append command? Like limits on no. Of rows returned and all

 

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-06-2022 02:13 AM

1) join will look for a match between all left events among the right events - if you have a join type of "left", the left events will be kept even if there isn't a match from the right, otherwise, they are dropped.

append simply extends the event pipeline with more events leaving the existing events intact.

2) Your join wasn't working because only the events from the index were kept, none of the events from the csv were added if they didn't match events from the index search.

3) As with all subsearches (whether join or append), there are limits to the number of events returned (50,000). If you have more than 50,000 event in your subsearch, you will need to find a way to break up the subsearch into smaller chunks. You appear to only have 54 events in your csv so you should be OK.

Reply
Solved! Jump to solution

mohammadsharukh
Path Finder
‎09-06-2022 07:33 AM

Appreciated. Thanks for the solution and detailed explanation.

Regards,

Sharukh

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...