Splunk Search

Help me to format the below query without the join command.

nivethainspire_
Explorer

Help me to format the below query without the join command.

index=sample sourcetype=Sample_1 | fillnull | makemv delim=";" AID | join type=left AID [search index=sam sourcetype=sam_1|fillnull|rename Name as AID] |fillnull value="" Cos|fields * | search Legment="SOFT"|search sev=Y |stats count(VName)

the query is too slow for me and I have to run without join.

Labels (2)
0 Karma

aasabatini
Builder

Hi

please try to understand the logic on this search:

index=sample OR index=sam sourcetype=Sample_1 OR sourcetype=sam_1 | makemv delim=";" AID
rename Name as AID |fillnull value="" Cos |fields * | search Legment="SOFT"|search sev=Y |stats count(VName) by AID

 

this is the best way to do a search without a join, Also you can use the where condition.

 

Regards

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

nivethainspire_
Explorer

When I run this I get no result as the |search sev=Y has no data which is from 1st index and  | search Legment="SOFT"| is from 2nd index

Both search together not working

0 Karma

aasabatini
Builder

Hi

I don't know your data setI shared the search only to understand the logic.

index=sample OR index=sam sourcetype=Sample_1 OR sourcetype=sam_1 Legment="SOFT" OR sev=Y  | makemv delim=";" AID
rename Name as AID |fillnull value="" Cos   |stats count(VName) by AID

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!