Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Adding a Field from a Subsearch Using Join - Inaccurate Results

rescobar713
Path Finder
‎06-25-2015 09:24 AM

I'm trying to add a field to my main search based on the values retrieved from a subsearch. More specifically, my main search finds all questions posted on my company's community website, and the subsearch finds all responses to questions. I'm trying to match each question (found from the main search) with its first response (found by sorting the responses by time and dedup'ing the subsearch based on a thread ID). However, this doesn't seem to be working properly. Here is my search:

... | join thread_object_id [search ... | dedup thread_object_id sortby +activity_ts | eval first_comment_ts=activity_ts | fields thread_object_id first_comment_ts]

When I run this search, it pairs events from my main search with timestamps for the wrong comments (the first_comment_ts is incorrect), as if the dedup thread_object_id sortby +activity_ts didn't sort it properly. In fact, it matches each thread_object_id with the first_comment_ts of the 2nd comment instead of the 1st.

When I run the subsearch on its own, everything looks fine. It only displays events that correspond to the first comment of each thread (first appearance of each thread_object_id when sorted by activity_ts, which is exactly what I want.

Here's an example event for a bit more clarification.

Subsearch result:
alt text
Main search result (after being joined with the subsearch):
alt text

Any ideas why the join command would be causing these inconsistencies? Or is there any way I could do this more efficiently, perhaps without using join? I'm sort of at a loss here.

Thanks.

Tags (3)
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-25-2015 10:01 AM

Consider using stats to merge your two sourcetypes.

http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi...

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-30-2015 01:05 PM

You could split your single field into two fields like this:

... | eval question_ts = case(searchmatch("question"), activity_ts) | eval comment_ts = case(searchmatch("comment"), activity_ts) | ...
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-26-2015 12:32 AM

That's no problem. Something along these lines should do:

sourcetype=foo (question OR comment) | eventstats earliest(activity_ts) as first_comment_ts by thread_object_id | search question

The initial search picks out both types of events, questions and comments. The eventstats copies the earliest occurrence of an activity_ts over to all events for each thread_object_id (note: I've assumed that questions don't have this field. If they do you need to do a bit of reshuffling to select the correct events.). The final search throws out the comments from the final results.

0 Karma
Reply

rescobar713
Path Finder
‎06-30-2015 12:31 PM

Hey, that looks like it could work. However, both questions and responses have the activity_ts field. How would you suggest I shuffle things around to account for this? Just for some clarification, I want to find the earliest activity_ts out of the response events, and use those results populate the first_comment_ts field in the question events. I've tried to tinker with it but my solutions just seem overly convoluted.

Sorry for the late response. Thank you so much for your help so far.

0 Karma
Reply

rescobar713
Path Finder
‎06-25-2015 11:07 AM

The events in both the main search and the subsearch have the same sourcetype.

0 Karma
Reply

stephanefotso
Motivator
‎06-25-2015 09:57 AM

Hello! add the type=inner to the join command. Some thing like this:

 ... | join type= inner thread_object_id [search ... | dedup thread_object_id sortby +activity_ts | eval first_comment_ts=activity_ts | fields thread_object_id first_comment_ts]

Thanks

SGF
0 Karma
Reply

rescobar713
Path Finder
‎06-25-2015 11:02 AM

Yeah, I still get the same results.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-25-2015 10:02 AM

Specifying type=inner won't change anything because that's the default setting.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...