Splunk Search

Don't understand how to use splunk join, want to merge two tables

henriq_c
Explorer

Hello,

I have this

index=myindex eventtype="perfmon_windows" object="LogicalDisk" counter="% Free Space" instance!="_Total" instance!="0"
| stats first(Value) as value by instance, host
| eval x= 100 - value
| eval x= round(x,2)
| sort host
| fields host,instance, x

the result is something like that and it is ok :

host | instance | x

server1 | C: | 30
server1 | 😧 | 20
server1 | E: | 10
server2 | C: | 40

and I have this :

index=myindex eventtype="perfmon_windows" (object="Memory" counter="% Committed Bytes In Use") instance!="_Total"
| stats first(Value) as value by instance, host
| eval y= 100 - round(value,2)
| sort host
| fields host, y

the result is something like that and it is ok :

host | y


server1 | 55
server2 | 34

I tried to join the two search with a join on host and i have that :

host | instance | x | y


server1 | 0 | 30 | 55
server1 | 0 | 20 | 55
server1 | 0 | 10 | 55
server2 | 0 | 40 | 34

But i want to have this :

host | instance | x | y


server1 | C: | 30 | 55
server1 | 😧 | 20 | 55
server1 | E: | 10 | 55
server2 | C: | 40 | 34

Do you have a solution please ?

I dont know if it is my join or other thing to do

Thank you 🙂

0 Karma

whrg
Motivator

Can you post your join command?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!