Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help with union not working

sarit_s
Communicator
‎06-16-2022 01:41 AM

Hello

I'm running this query:

 

| union 
    [ search host="puppet-01" OR host="jenkins-01" OR host="ANSIBLE-01" sourcetype=ProductionDeploy  NOT Permisson_Job_Name=*_permission Environment=PRODUCTION 
    | table _time, App_Name, User, Change_Log_Description, Environment, Version] 
    [ search sourcetype=mscs:storage:blob:json 
    | rex field=_raw "Details\":\"(?<Details>.*?)\"," 
    | rex field=_raw "ProjectName\":\"(?<ProjectName>.*?)\"," 
    | rex field=_raw "ScopeDisplayName\":\"(?<ScopeDisplayName>.*?)\"," 
    | rex field=_raw "releaseName\":\"(?<releaseName>.*?)\"}" 
    | rex field=_raw "ActionId\":\"(?<ActionId>Release.ReleaseCreated)\"," 
    | rex field=_raw "ActorUPN\":\"(?<ActorUPN>.*?)\"," 
    | rex field=_raw "DeploymentResult\":\"(?<DeploymentResult>.*?)\"," 
    | rex field=_raw "PipelineName\":\"(?<PipelineName>.*?)\"," 
    | where releaseName != null AND PipelineName like "%Production" 
    | rename ProjectName AS App_Name 
    | rename ActorUPN AS User 
    | rename releaseName AS Change_Log_Description 
    | rename PipelineName AS Environment
    | rename DeploymentResult AS status
    | table _time, App_Name, User, Change_Log_Description, Environment, Version,status]
    
| sort -_time asc

 

and im trying to get the status
at the first search i don't have this value but i do have it at the second one
i don't see status column at my results.

can someone explain me why ?

thanks

Labels (3)
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-16-2022 04:38 AM

Try your where command like this

| where isnotnull(releaseName) AND PipelineName like "%Production"
0 Karma
Reply

sarit_s
Communicator
‎06-16-2022 04:44 AM

still the same

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-16-2022 04:58 AM

Does this rex match your events?

| rex field=_raw "DeploymentResult\":\"(?<DeploymentResult>.*?)\","
0 Karma
Reply

sarit_s
Communicator
‎06-19-2022 12:55 AM

yes it does

the problem is the since i don't have the field status at the first search i don't get the results of the second one

maybe the union not fit here ?

0 Karma
Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting

Splunk is excited to announce new releases that empower ITOps and engineering teams to stay ahead in ever ...
Top