Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

join

pavithra
Explorer
‎06-11-2024 09:56 PM

index=acn_ac_snow_ticket_idx code_message=create uid="*Saml : Days to expire*" OR uid="*Self_Signed : Days to expire*" OR uid="*CA : Days to expire*" OR uid="*Entrust : Days to expire*"
| rex field=_raw "\"(?<INC>INC\d+),"
| rex field=uid "(?i)^(?P<source_host>.+?)__"
| table INC uid log_description source_host
| dedup INC uid log_description source_host
| rename INC as "Ticket_Number"
| selfjoin source_host
[ search index=acn_lendlease_certificate_tier3_idx tower=*
| table *]
| stats latest(tower) as Tower, latest(source_host) as source_host , latest(metric_value) as "Days To Expire", latest(alert_value) as alert_value, latest(add_info) as "Additional Info" by instance,Ticket_Number
| eval alert_value=case(alert_value==100,"Active",alert_value==300,"About to Expire", alert_value==500,"Expired")
| where alert_value="Active"
| search Tower="*" AND alert_value="*"
| sort "Days To Expire"
| rename instance as "Serial Number / Server ID", Tower as "Certificate Type" , source_host as Certificate , alert_value as "Certificate Status"


I am trying to map incident number with respect to source_host using join command
but its not working as expected


Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-11-2024 10:16 PM

Are you using selfjoin or join?

Either way, selfjoin is not the right command - join is also not the way to do things in Splunk as it has limitations, however, your SPL indicates your 2 data sets have 

index=acn_ac_snow_ticket_idx - INC (Ticket_Number) uid log_description source_host

index=acn_lendlease_certificate_tier3_idx - tower, metric_value, alert_value, add_info, instance, source_host

and you are trying to join these two on source_host

0 Karma
Reply

pavithra
Explorer
‎06-11-2024 10:18 PM

yes 

I have created regex to extract incident details and source host

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-11-2024 10:21 PM

and your second data set contains these fields?

tower, metric_value, alert_value, add_info, instance, source_host, Ticket_Number

0 Karma
Reply

pavithra
Explorer
‎06-11-2024 10:22 PM

yes

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-11-2024 10:31 PM

Your original search is rather unclear, so here is an attempt at removing the need to join, i.e. to do it the Splunk way, so it searches both data sets and creates the common fields 

Your original join attempt wanted source_host but you are splitting by ticket number, so is is possible that there can be multiple source_host per ticket number?

Can there also be more than one instance per ticket number?

(index=acn_ac_snow_ticket_idx code_message=create uid="*Saml : Days to expire*" OR uid="*Self_Signed : Days to expire*" OR uid="*CA : Days to expire*" OR uid="*Entrust : Days to expire*") OR
(index=acn_lendlease_certificate_tier3_idx tower=*)
| rex field=_raw "\"(?<INC>INC\d+)," 
| eval ticket=coalesce(INC, Ticket_Number)
| rex field=uid "(?i)^(?P<snow_source_host>.+?)__" 
| eval source_host=coalesce(snow_source_host, source_host)
| stats latest(tower) as Tower, latest(source_host) as source_host , latest(metric_value) as "Days To Expire", latest(alert_value) as alert_value, latest(add_info) as "Additional Info" values(instance) by ticket 
| eval alert_value=case(alert_value==100,"Active",alert_value==300,"About to Expire", alert_value==500,"Expired") 
| where alert_value="Active" 
| search Tower="*" AND alert_value="*" 
| sort "Days To Expire" 
| rename instance as "Serial Number / Server ID", Tower as "Certificate Type" , source_host as Certificate , alert_value as "Certificate Status"

Not sure if this will give you what you want - but if not, please provide some anonymised data for each data type and show how you are trying to combine them because it's not clear from the search.

0 Karma
Reply

pavithra
Explorer
‎06-11-2024 10:43 PM

pavithra_0-1718170697573.png

Hi bowesmana
Thanks for the efforts
we have data sets

index=acn_lendlease_certificate_tier3_idx tower=Self_Signed_Certificate
| stats latest(tower) as Tower, latest(source_host) as source_host , latest(metric_value) as "Days To Expire", latest(alert_value) as alert_value, latest(add_info) as "Additional Info" by instance
| eval alert_value=case(alert_value==100,"Active",alert_value==300,"About to Expire", alert_value==500,"Expired")
| where alert_value="About to Expire"
| search Tower="*" AND alert_value="*"
| sort "Days To Expire"
| rename instance as "Serial Number / Server ID", Tower as "Certificate Type" , source_host as Certificate , alert_value as "Certificate Status"

pavithra_1-1718170788871.png

here i am trying to add one more coulmn called incident 
To extract the incident details with respect to certificate values
If inc is available , then it should display numbers, orelse null
To extract the INC, using the below query

 

index=acn_ac_snow_ticket_idx code_message=create uid="*Saml : Days to expire*" OR uid="*Self_Signed : Days to expire*" OR uid="*CA : Days to expire*" OR uid="*Entrust : Days to expire*"
| rex field=_raw "\"(?<INC>INC\d+),"
| rex field=uid "(?i)^(?P<source_host>.+?)__"
| table INC uid log_description source_host
| dedup INC uid log_description source_host
| rename INC as "Ticket_Number"

pavithra_2-1718170982436.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...