- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help to use join to combine based on alert field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help to use join to combine based on alert field
i have two tables A and B. Based on alert field value in table A a corresponding row will be generated in table B.
i am going to use join to to combine both table A and B values based on alert field.
In some cases in table A the alert field value will be null so there wont be corresponding rows generated in table B , but i want to display these exception rows as well.
Please tell me how to achieve this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean by "table"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is a table command indeed and not a table :-).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am going to take you literally even though I know it will generate an incorrect solution. You have not given us much with which to work. Try this:
| inputlookup TableA
| eval sourcetype="TableA"
| appendpipe [
| inputlookup TableB
| eval sourcetype="TableB"
]
| rename COMMENT AS "You probably don't have tables so maybe you need 'index=foo sourcetype=TableA OR sourcetype=TableB' instead"
| stats values(*) AS * dc(sourcetype) AS num_sourcetypes BY YourCommonFieldHere
| fillnull YourSometimesMissingButImportantFIeldNameHere value="YourChosenDefaultValueHere"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
many thanks for your prompt response a left type left join seems to produce good results :-).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are many problems with join and it does not scale. Use a solution like mine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vkrishnachand, can you add some data sample from table A and table B and your existing queries. Can you also explain what you mean by exception rows without any data? What is alert field?
Please provide more details of your issue for us to assist you better.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
many thanks for your timely response.I managed to design the query with type left join and it seemed to work :-).
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
