Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating a join when first search contains multiple values for a single field

richnavis
Contributor
‎07-19-2018 06:25 PM

Hey all, this one has be stumped. I'm trying to join two searches where the first search includes a single field with multiple values. The matching field in the second search ONLY ever contains a single value. The search ONLY returns matches on the join when there are identical values for search 1 and search 2. In other words if search 1 has a field named id, and contains id=a and id=b and the second search contains id=b, no results will be returned. The search will ONLY return results if search 1 contains a single value for id.
Does anyone have any suggestion on how to join a search with multiple values?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Shan
Builder
‎07-19-2018 11:49 PM

@richnavis - If you have multiple values in outer query and single value in inner query also the join condition will work . please take a look into below sample code. kindly replace with a test index in inner query and test it .. 

| makeresults 
| eval mytrimexaxis =mvappend("1531981800","1531982400","1531982700","1531983000","1531983600") 
| mvexpand mytrimexaxis 
| table mytrimexaxis
| join type=inner mytrimexaxis  [ index=*** (replace with ur tetsing index)
| eval mytrimexaxis="1531981800"
| table mytrimexaxis
] 
 | table mytrimexaxis

View solution in original post

Reply
Solved! Jump to solution

j_cabanillas
Explorer
‎07-19-2018 11:57 PM

PLease share your query, that way is easier to understand why is not working,

the logic of the join command should be that for each value on search 1 for the specific field you should have results in search 2 with additional information (other fields) .

What do you want to get from search 2 to include on search 1 ?

0 Karma
Reply
Solved! Jump to solution

richnavis
Contributor
‎07-20-2018 09:33 AM

Here's a simplified version of my search. Note, that this doesn't return results the way I would like either. It only returns values where the number of id values are equal, and the id values match
index=myindex "instances{}.id"="" | rename "instances{}.id as id
| join inner id [search index=myindex2 earliest=-1d id=]

The reason for the join is that index2 contains a "name" field that I want to include in my report. both contain ID fields, although I have to rename the one from index1 since it has a different name

0 Karma
Reply
Solved! Jump to solution

richnavis
Contributor
‎07-20-2018 09:34 AM

Note, there's an asterisk at the end of the equal size in both searches... the html isn't showing it.

0 Karma
Reply
Solved! Jump to solution

j_cabanillas
Explorer
‎07-20-2018 10:05 AM

I think I know why it's not giving you what you need.
In Search 2 you should include a table or stats of your results .

something like [search index=myindex2 earliest=-1d id=*|stats values(name) as name by id]

This will give you results that search 1 can use

you query should be something like this index=myindex "instances{}.id"="" | rename "instances{}.id as id 
| join inner id [search index=myindex2 earliest=-1d id=*|stats values(name) as name by id] | table id name and other fields you want to include

0 Karma
Reply
Solved! Jump to solution
Solution

Shan
Builder
‎07-19-2018 11:49 PM

@richnavis - If you have multiple values in outer query and single value in inner query also the join condition will work . please take a look into below sample code. kindly replace with a test index in inner query and test it .. 

| makeresults 
| eval mytrimexaxis =mvappend("1531981800","1531982400","1531982700","1531983000","1531983600") 
| mvexpand mytrimexaxis 
| table mytrimexaxis
| join type=inner mytrimexaxis  [ index=*** (replace with ur tetsing index)
| eval mytrimexaxis="1531981800"
| table mytrimexaxis
] 
 | table mytrimexaxis
Reply
Solved! Jump to solution

richnavis
Contributor
‎07-20-2018 02:46 PM

Brilliant! The key to making it work was to add the mvexpand into my first search. I did not realize that this command existed, but once I added that into my first search, the first and second search joined just like I wanted them to. Thanks so much for the help

0 Karma
Reply
Solved! Jump to solution

richnavis
Contributor
‎07-20-2018 02:50 PM

shankarananth, if you could convert your comment to an answer, I will accept that as the answer

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...