Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to Join indexes on common field and preserve order?

adomenico
Explorer
‎07-25-2022 07:47 AM

I have 2 indexes, one with server events and one with server temperature readings.  The server events come in when generated and the temperature readings come in every 15 mins.  How do I create a summary index so that I can see all the events for each server in order? 

The goal would be to use that summary index for MLTK and predict failures based on event sequence and temperature reading.

In SQL, I could do:

CREATE TABLE mydb.mytable as SELECT (fields) from table1.a LEFT JOIN table2.b ON (primary_key) order by (timestamp);

How to achieve this in Splunk?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-25-2022 08:14 AM

Splunk has a manual to help SQL users adapt to SPL.  See https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/SearchReference/SQLtoSplunk

You don't need anything fancy for this, though.  Since all events have a timestamp, we just need to read them in and sort them by time.

index=index1 OR index=index2
| sort 0 _time
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-25-2022 08:14 AM

Splunk has a manual to help SQL users adapt to SPL.  See https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/SearchReference/SQLtoSplunk

You don't need anything fancy for this, though.  Since all events have a timestamp, we just need to read them in and sort them by time.

index=index1 OR index=index2
| sort 0 _time
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

adomenico
Explorer
‎07-25-2022 01:44 PM

It doesn't quite work.  I have to do some field parsing because the primary key has a different name in each index (also, it's not just index but also sourcetype), so if I need to do a | rename, where doe it go?  Before or after the OR?  

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-25-2022 02:09 PM

Neither.  You can't rename before the first pipe.

I like to pick one name from either side and use that for both sides via coalesce.

index=index1 OR index=index2
| eval field1 = coalesce(index1field1, index2field1)
| eval field2 = coalesce(index1field2, index2field2)
...
| sort 0 _time
| table _time field1 field2 ...
---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...