Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help with SQL query to Splunk

davalabih
Engager
‎06-14-2022 03:30 AM

Need a similar query for Splunk.

 

SELECT a.[CUSTOMER ID], a.[NAME], SUM(b.[AMOUNT]) AS [TOTAL AMOUNT]
FROM RES_DATA a INNER JOIN INV_DATA b
ON a.[CUSTOMER ID]=b.[CUSTOMER ID]
GROUP BY a.[CUSTOMER ID], a.[NAME]

 

 

0 Karma
Reply

somesoni2
Revered Legend
‎06-14-2022 09:27 AM

It would be better if you provide information on how your (relevant) data is currently ingested in Splunk, what all fields are available and how they're related. Your SQL query gives the logic, but best solution could only be identified if we know how data is stored in Splunk.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-14-2022 04:10 AM

Hi @davalabih,

I suppose that you already have data in two different indexes.

So you have to make a join between the two tables.

You could use the "join" command that in Splunk works in a way similar to SQL, but it's a very slow command so it's better to have a different approach, like the following:

index=RES_DATA OR index=INV_DATA
| stats values(NAME) AS NAME sum(AMOUNT) AS TOTAL AMOUNT BY ID

Ciao.

Giuseppe

0 Karma
Reply

davalabih
Engager
‎06-14-2022 04:26 AM

@gcusello  Here indexes are same only the resources are different.  If in one resource values is true then other resource values  need to be verified for successful transaction. 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-14-2022 04:48 AM

Hi @davalabih,

ok they are in the same index (good idea!) but how do you differentiate RES_DATA and INV_DATA?

anyway if RES_DATA and INV_DATA are the sourcetypes or another field, you can use the same approach

index=your_index (sourcetype=RES_DATA OR sourcetype=INV_DATA)
| stats values(NAME) AS NAME sum(AMOUNT) AS TOTAL AMOUNT BY ID

I don't understand what do you mean: one resource is true, the other resurce value must be verified.

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
li.common.scroll-to.top