Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Left join not working

angadbagga
Explorer
‎08-03-2020 04:06 PM

HI

I have a query like below. Can i use something else than join 

index=hello sourcetype="logs A" source="C:\\football\ab*"  OR source="C:\\Tennis\cd*" OR source="C:\\Cricket\eb*" 
| rex (something)
|eval (something)
| join type=left
[search sourcetype = "logs B" source="C:\\football\ab*"  OR source="C:\\Tennis\cd*" OR source="C:\\Cricket\eb*" 
|rex (something)
|eval (somthing)]
table 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-03-2020 08:05 PM

If both independent searches work and there is a common 'Steel' to join on, then the search looks ok. What is the size of the data set and what results (if any) do you get.

However, to answer your question, yes you can always use something other than join (and probably should)

index=abc ((sourcetype="xyz" "efp") OR (sourcetype="ufh" "stn")) source="hello1" OR source="hello2*" OR source="hello3*"
| rex field=source (?<Tweet>"\b\w{2}\b")
| eval Steel = case(Tweet == "EV", "Steel1", Tweet == "SV", "Steel2")
| table Tweet Steel _time
| eval CompletionTime_Dep=if(sourcetype="xyz", _time, null())
| eval CompletionTime_CD=if(sourcetype="ufh", _time, null())
| convert ctime(CompletionTime_Dep)
| convert ctime(CompletionTime_CD)
| stats values(CompletionTime_*) as CompletionTime_* by Tweet Steel

However, in your example, will you have many rows where Steel has the same value (Steel1/Steel2)?

If so, then is the original intention of the join to bring all sub matches from the subsearch to each of the outer rows.  If so, then the above 'stats' may not be what you intended.

 

View solution in original post

Reply
Solved! Jump to solution

angadbagga
Explorer
‎08-03-2020 04:16 PM

I want different _time values for both the source types "logsA" and "logsB" in the tabe

0 Karma
Reply
Solved! Jump to solution

diogofgm
SplunkTrust
SplunkTrust
‎08-03-2020 05:23 PM

Hi angadbagga

Can you share more details? What's the format/fields of you data? What's the expected output? Have you tried to state field you want to join?

 

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

angadbagga
Explorer
‎08-03-2020 05:49 PM

Hi

Yes, i tried to state the field i wanted to join.  I am writing this query with dummy fields.  In short there are two source types and i want CompletionTime_Dep and CompletionTime_CD in the final table

 


index=abc sourcetype="xyz" "efp" source="hello1" OR source="hello2*" OR source="hello3*"
| rex field=source (?<Tweet>"\b\w{2}\b")
| eval Steel = case(Tweet == "EV", "Steel1", Tweet == "SV", "Steel2")
| table Tweet Steel _time
| rename _time as CompletionTime_Dep
| convert ctime(CompletionTime_Dep)
| join Steel type=left
[ search sourcetype="ufh" "stn" source="hello1" OR source="hello2*" OR source="hello3*"
rex field=source (?<Tweet>"\b\w{2}\b")
| eval Steel = case(Tweet == "EV", "Steel1", Tweet == "SV", "Steel2")
| table Tweet Steel _time
| rename _time as CompletionTime_CD
| convert ctime(CompletionTime_CD)]

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-03-2020 08:05 PM

If both independent searches work and there is a common 'Steel' to join on, then the search looks ok. What is the size of the data set and what results (if any) do you get.

However, to answer your question, yes you can always use something other than join (and probably should)

index=abc ((sourcetype="xyz" "efp") OR (sourcetype="ufh" "stn")) source="hello1" OR source="hello2*" OR source="hello3*"
| rex field=source (?<Tweet>"\b\w{2}\b")
| eval Steel = case(Tweet == "EV", "Steel1", Tweet == "SV", "Steel2")
| table Tweet Steel _time
| eval CompletionTime_Dep=if(sourcetype="xyz", _time, null())
| eval CompletionTime_CD=if(sourcetype="ufh", _time, null())
| convert ctime(CompletionTime_Dep)
| convert ctime(CompletionTime_CD)
| stats values(CompletionTime_*) as CompletionTime_* by Tweet Steel

However, in your example, will you have many rows where Steel has the same value (Steel1/Steel2)?

If so, then is the original intention of the join to bring all sub matches from the subsearch to each of the outer rows.  If so, then the above 'stats' may not be what you intended.

 

Reply
Solved! Jump to solution

angadbagga
Explorer
‎08-22-2020 08:39 PM

Thanks!!

0 Karma
Reply
Solved! Jump to solution

aa70627
Communicator
‎08-22-2020 05:09 PM

I would recommend going with @bowesmana  solution instead of a left join. Left joins in splunk is more problems than its worth. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...