Splunk Search

Help with union not working

sarit_s
Communicator

Hello

I'm running this query:

 

| union 
    [ search host="puppet-01" OR host="jenkins-01" OR host="ANSIBLE-01" sourcetype=ProductionDeploy  NOT Permisson_Job_Name=*_permission Environment=PRODUCTION 
    | table _time, App_Name, User, Change_Log_Description, Environment, Version] 
    [ search sourcetype=mscs:storage:blob:json 
    | rex field=_raw "Details\":\"(?<Details>.*?)\"," 
    | rex field=_raw "ProjectName\":\"(?<ProjectName>.*?)\"," 
    | rex field=_raw "ScopeDisplayName\":\"(?<ScopeDisplayName>.*?)\"," 
    | rex field=_raw "releaseName\":\"(?<releaseName>.*?)\"}" 
    | rex field=_raw "ActionId\":\"(?<ActionId>Release.ReleaseCreated)\"," 
    | rex field=_raw "ActorUPN\":\"(?<ActorUPN>.*?)\"," 
    | rex field=_raw "DeploymentResult\":\"(?<DeploymentResult>.*?)\"," 
    | rex field=_raw "PipelineName\":\"(?<PipelineName>.*?)\"," 
    | where releaseName != null AND PipelineName like "%Production" 
    | rename ProjectName AS App_Name 
    | rename ActorUPN AS User 
    | rename releaseName AS Change_Log_Description 
    | rename PipelineName AS Environment
    | rename DeploymentResult AS status
    | table _time, App_Name, User, Change_Log_Description, Environment, Version,status]
    
| sort -_time asc

 

and im trying to get the status
at the first search i don't have this value but i do have it at the second one
i don't see status column at my results.

can someone explain me why ?

thanks

Labels (3)
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try your where command like this

| where isnotnull(releaseName) AND PipelineName like "%Production"
0 Karma

sarit_s
Communicator

still the same

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does this rex match your events?

| rex field=_raw "DeploymentResult\":\"(?<DeploymentResult>.*?)\","
0 Karma

sarit_s
Communicator

yes it does

the problem is the since i don't have the field status at the first search i don't get the results of the second one

maybe the union not fit here ?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...