Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Ho to get a single report by evaluating 3 saved searches

balavenkatachal
New Member
‎06-25-2012 04:38 PM

Scenario:

I need to get a single dashboard out of 3 different sourcetype by passing a unique ID using the form view.

I used the 3 queries and pulled the data to the user defined index - newindex and how do i get the data in a single value by passing the unique id.

  1. index=userindex Source=find_node_1 returns data as given below :

time_stamp mid sid

2012-06-25 14:52:39 123456789 3924110063741806337
2012-06-25 14:54:58 782345678 623458620530373121
2012-06-25 12:21:56 663236789 4189485991196251138

  1. index=userindex Source=find_node_2 returns data as given below :

vcs vcsSId csId

abc.occ analfnafafja-afafa-afafa 3924110063741806337
bac.occ baclfnafafja-afafa-afafa 623458620530373121
cac.occ cadlfnafafja-afafa-afafa 4189485991196251138

  1. index=userindex Source=find_node_3 returns data as given below : confid mcrconf host ============================================================= analfnafafja-afafa-afafa nafafja-afafa-afafa host1 baclfnafafja-afafa-afafa nafafja-cabab-atedd host2 cadlfnafafja-afafa-afafa nafafja-lalab-bcdef host3

The mapping from 1 and 2 : sid=vcsSId
The mapping from 2 and 3 : vcsSId=confid

Problem statement :

I want to get a single view of the all the above 3 with unique value by passing the "mid" dynamically using the form view.

I tried joins as given below and it fetches empty results.

index=userindex source=find_node_1 | fields time_stamp mid sid | join sid [ search source=find_node_2 | fields VCS vcsSId csId] | join vcsSId [search source=find_node_3 | fields confid mcrconf host] | table mid time_stamp sid confid mcrconf host

Please let me know if i am missing something help me on how would i combine to get a single view in a query.

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎06-25-2012 10:15 PM

Join only works on a common field - and you haven't named common fields between your sources.

Try this:

index=userindex source=find_node_1 
| fields time_stamp mid sid 
| join sid 
  [ search source=find_node_2 
  | rename vcsSId as sid
  | fields VCS sid csId]  
| join sid
   [search source=find_node_3 
   | rename confid as sid
   | fields sid mcrconf host] 
| table mid time_stamp sid mcrconf host

But why do you even need the middle join? Since you didn't use any of the fields from the second join, wouldn't it work as:

index=userindex source=find_node_1 
| fields time_stamp mid sid 
| join sid 
   [search source=find_node_3 
   | rename confid as sid
   | fields sid mcrconf host] 
| table mid time_stamp sid mcrconf host
0 Karma
Reply

balavenkatachal
New Member
‎06-26-2012 11:40 AM

Thanks a lot !

The reason for using middle join is to join the sid and , i would need some of the fileds in the final result to get them in the table

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...