- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- selfjoin does not elimnate single results, unclear...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm a new user of splunk, and apparently I don't understand how selfjoin is supposed to work.
My log has a field sessionid. As a first pass, I enter the following search:
(alpha OR ( bravo charlie) )
which produces the output I'd expect -- 13 results, some that contain alpha and others that contain bravo charlie.
Now I want to filter this further: I only want to see results that share a sessionid with other results. In particular, I want to find alpha and bravo charlie results that have the same sessionid. selfjoin would appear to be ideal:
(alpha OR ( bravo charlie) ) | selfjoin sessionid
but instead of seeing the results I expect -- and I know what the answer in advance, at least in this case -- I see all 13 original results. This includes many lines with unique, that is to say "single" in selfjoin terminology, sessionids.
In other cases, and I'm not certain how I've managed it, I'll use selfjoin only to discover that just the bravo charlie results show up, and not the matching alpha results.
I expect that I simply don't understand how selfjoin works. On the other hand, the implication of the selfjoin manpage is that only results that have at least one matching sessionid should be present.
I'd like to know how to fix this search using selfjoin -- I can already do this using ordinary join -- and a reference to a more complete explanation of how selfjoin works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could always have a look at the transaction command to see if that suits your needs. Something along the lines of:
alpha OR (bravo charlie) | transaction sessionid startswith=alpha endswith=bravo maxevents=2
Read more here:
http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Transaction
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could always have a look at the transaction command to see if that suits your needs. Something along the lines of:
alpha OR (bravo charlie) | transaction sessionid startswith=alpha endswith=bravo maxevents=2
Read more here:
http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Transaction
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kristian,
Thanks for reminding me of the proper etiquette!
Regards,
Moshe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please mark the question as answered and/or upvote if this solved your problem.
thanks,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works:
(alpha OR ( bravo charlie) ) | transaction sessionid | alpha bravo
because the transaction combines the results that have a common sessionid, and the subsequent search finds the places where they both appear.
But I have to admit: I'd like to know to use selfjoin.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kristian,
Thanks for the idea, I'll definitely take a look at transaction.
Does anyone have an explanation or a reference to what selfjoin does?
Enterprise Security Content Update (ESCU) | New Releases
Index This | Divide 100 by half. What do you get?
Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!
