Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use join?

taehe
Explorer
‎02-22-2023 10:25 PM

I want to use join. However, the fields to be compared are fields called _time and b. However, when join _time, b [sub_search] is performed, the date is output for only one day. What should I do?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-23-2023 12:14 AM

OK. It's clear that you have SQL background and try to implement the same logic in SPL 😉

It doesn't work this way. (or rather you can make it work this way but you usually shouldn't)

You search from the same index and group by mostly the same fields so you do the same work at least twice (not to mention that subsearches have their limits so you don't like subsearches).

Again - show us what your events look like. And tell us what you want to achieve as in "what effect you want to get".

0 Karma
Reply

taehe
Explorer
‎02-23-2023 12:25 AM

As in the initial question, I want to derive a result in which the _time and b fields match.
The spl attached below is also a field created in that context.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-23-2023 12:46 AM

OK. Let me explain why I'm asking by a simple (albeit a bit limited, I admit) analogy.

Let's assume we're talking about cars and you've only ever driven a particular brand of car which requires removal of the wheel arch just to get access to the headlight bulb. So you suddenly bought a modern car with LED headlamp and come to the forums to ask "how to remove the wheel arch so I can replace my headlight bulb?". And we're telling you that this is no longer that car you drove for many years and you don't have to remove the wheel arch. And furthermore, it's a LED lamp so you have no bulbs to change.

So in that case the problem to resolve is not "how to remove the wheel arch" but "what to do about dim headlight". Which is a completely different problem.

In your case, you're trying to get some report from your events - that's your basic need. Not the join command in itself. The join command is just a tool or a step in the way (just like removing that wheel arch).

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-22-2023 11:41 PM

1. Tell us a bit more about your data (show some sample events; obfuscated/anonymized if you have sensitive information in them).

2. Be more precise about what you want to achieve, not how you want to do it.

And most importantly:

3. There are usually better ways to correlate data than by using join. Often the way to go is to use the "stats" command

0 Karma
Reply

taehe
Explorer
‎02-22-2023 11:52 PM 
index=si-index-cbm type IN ("br-flag") 
| stats values(AMP) as AMP by _time, train_number, car_number, car 
| join type=left left=L right=R where L._time=R._time L.car_number=R.car_number
    [| search index=si-index-cbm type IN ("br-cur") 
    | stats avg(data) as data by _time, train_number, car_number, car, key, ip, name, type, date]

or

index=si-index-cbm type IN ("br-flag")
| stats values(AMP) as AMP by _time, train_number, car_number, car
| join _time, car_number
[| search index=si-index-cbm type IN ("br-cur")
| stats avg(data) as data by _time, train_number, car_number, car, key, ip, name, type, date]

I want to use those codes, but it doesn't work

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...