Dashboards & Visualizations

selfjoin does not elimnate single results, unclear what to expect

Communicator

I'm a new user of splunk, and apparently I don't understand how selfjoin is supposed to work.

My log has a field sessionid. As a first pass, I enter the following search:

(alpha OR ( bravo charlie) )

which produces the output I'd expect -- 13 results, some that contain alpha and others that contain bravo charlie.

Now I want to filter this further: I only want to see results that share a sessionid with other results. In particular, I want to find alpha and bravo charlie results that have the same sessionid. selfjoin would appear to be ideal:

(alpha OR ( bravo charlie) ) | selfjoin sessionid

but instead of seeing the results I expect -- and I know what the answer in advance, at least in this case -- I see all 13 original results. This includes many lines with unique, that is to say "single" in selfjoin terminology, sessionids.

In other cases, and I'm not certain how I've managed it, I'll use selfjoin only to discover that just the bravo charlie results show up, and not the matching alpha results.

I expect that I simply don't understand how selfjoin works. On the other hand, the implication of the selfjoin manpage is that only results that have at least one matching sessionid should be present.

I'd like to know how to fix this search using selfjoin -- I can already do this using ordinary join -- and a reference to a more complete explanation of how selfjoin works.

Tags (2)
0 Karma
1 Solution

Ultra Champion

You could always have a look at the transaction command to see if that suits your needs. Something along the lines of:

alpha OR (bravo charlie) | transaction sessionid startswith=alpha endswith=bravo maxevents=2

Read more here:

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Transaction

Hope this helps,

Kristian

View solution in original post

Ultra Champion

You could always have a look at the transaction command to see if that suits your needs. Something along the lines of:

alpha OR (bravo charlie) | transaction sessionid startswith=alpha endswith=bravo maxevents=2

Read more here:

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Transaction

Hope this helps,

Kristian

View solution in original post

Communicator

Kristian,

Thanks for reminding me of the proper etiquette!

Regards,
Moshe

Ultra Champion

Please mark the question as answered and/or upvote if this solved your problem.

thanks,

Kristian

Communicator

This works:

(alpha OR ( bravo charlie) ) | transaction sessionid | alpha bravo

because the transaction combines the results that have a common sessionid, and the subsequent search finds the places where they both appear.

But I have to admit: I'd like to know to use selfjoin.

0 Karma

Communicator

Kristian,

Thanks for the idea, I'll definitely take a look at transaction.

Does anyone have an explanation or a reference to what selfjoin does?

0 Karma