Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help with union not working

sarit_s
Communicator
‎06-16-2022 01:41 AM

Hello

I'm running this query:

 

| union 
    [ search host="puppet-01" OR host="jenkins-01" OR host="ANSIBLE-01" sourcetype=ProductionDeploy  NOT Permisson_Job_Name=*_permission Environment=PRODUCTION 
    | table _time, App_Name, User, Change_Log_Description, Environment, Version] 
    [ search sourcetype=mscs:storage:blob:json 
    | rex field=_raw "Details\":\"(?<Details>.*?)\"," 
    | rex field=_raw "ProjectName\":\"(?<ProjectName>.*?)\"," 
    | rex field=_raw "ScopeDisplayName\":\"(?<ScopeDisplayName>.*?)\"," 
    | rex field=_raw "releaseName\":\"(?<releaseName>.*?)\"}" 
    | rex field=_raw "ActionId\":\"(?<ActionId>Release.ReleaseCreated)\"," 
    | rex field=_raw "ActorUPN\":\"(?<ActorUPN>.*?)\"," 
    | rex field=_raw "DeploymentResult\":\"(?<DeploymentResult>.*?)\"," 
    | rex field=_raw "PipelineName\":\"(?<PipelineName>.*?)\"," 
    | where releaseName != null AND PipelineName like "%Production" 
    | rename ProjectName AS App_Name 
    | rename ActorUPN AS User 
    | rename releaseName AS Change_Log_Description 
    | rename PipelineName AS Environment
    | rename DeploymentResult AS status
    | table _time, App_Name, User, Change_Log_Description, Environment, Version,status]
    
| sort -_time asc

 

and im trying to get the status
at the first search i don't have this value but i do have it at the second one
i don't see status column at my results.

can someone explain me why ?

thanks

Labels (3)
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-16-2022 04:38 AM

Try your where command like this

| where isnotnull(releaseName) AND PipelineName like "%Production"
0 Karma
Reply

sarit_s
Communicator
‎06-16-2022 04:44 AM

still the same

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-16-2022 04:58 AM

Does this rex match your events?

| rex field=_raw "DeploymentResult\":\"(?<DeploymentResult>.*?)\","
0 Karma
Reply

sarit_s
Communicator
‎06-19-2022 12:55 AM

yes it does

the problem is the since i don't have the field status at the first search i don't get the results of the second one

maybe the union not fit here ?

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...