Dashboards & Visualizations

selfjoin does not elimnate single results, unclear what to expect

myudkowsky
Communicator

I'm a new user of splunk, and apparently I don't understand how selfjoin is supposed to work.

My log has a field sessionid. As a first pass, I enter the following search:

(alpha OR ( bravo charlie) )

which produces the output I'd expect -- 13 results, some that contain alpha and others that contain bravo charlie.

Now I want to filter this further: I only want to see results that share a sessionid with other results. In particular, I want to find alpha and bravo charlie results that have the same sessionid. selfjoin would appear to be ideal:

(alpha OR ( bravo charlie) ) | selfjoin sessionid

but instead of seeing the results I expect -- and I know what the answer in advance, at least in this case -- I see all 13 original results. This includes many lines with unique, that is to say "single" in selfjoin terminology, sessionids.

In other cases, and I'm not certain how I've managed it, I'll use selfjoin only to discover that just the bravo charlie results show up, and not the matching alpha results.

I expect that I simply don't understand how selfjoin works. On the other hand, the implication of the selfjoin manpage is that only results that have at least one matching sessionid should be present.

I'd like to know how to fix this search using selfjoin -- I can already do this using ordinary join -- and a reference to a more complete explanation of how selfjoin works.

Tags (2)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

You could always have a look at the transaction command to see if that suits your needs. Something along the lines of:

alpha OR (bravo charlie) | transaction sessionid startswith=alpha endswith=bravo maxevents=2

Read more here:

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Transaction

Hope this helps,

Kristian

View solution in original post

kristian_kolb
Ultra Champion

You could always have a look at the transaction command to see if that suits your needs. Something along the lines of:

alpha OR (bravo charlie) | transaction sessionid startswith=alpha endswith=bravo maxevents=2

Read more here:

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Transaction

Hope this helps,

Kristian

myudkowsky
Communicator

Kristian,

Thanks for reminding me of the proper etiquette!

Regards,
Moshe

kristian_kolb
Ultra Champion

Please mark the question as answered and/or upvote if this solved your problem.

thanks,

Kristian

myudkowsky
Communicator

This works:

(alpha OR ( bravo charlie) ) | transaction sessionid | alpha bravo

because the transaction combines the results that have a common sessionid, and the subsequent search finds the places where they both appear.

But I have to admit: I'd like to know to use selfjoin.

0 Karma

myudkowsky
Communicator

Kristian,

Thanks for the idea, I'll definitely take a look at transaction.

Does anyone have an explanation or a reference to what selfjoin does?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...