Splunk Search
Highlighted

Ho to get a single report by evaluating 3 saved searches

New Member

Scenario:

I need to get a single dashboard out of 3 different sourcetype by passing a unique ID using the form view.

I used the 3 queries and pulled the data to the user defined index - newindex and how do i get the data in a single value by passing the unique id.

  1. index=userindex Source=findnode1 returns data as given below :

time_stamp mid sid

2012-06-25 14:52:39 123456789 3924110063741806337
2012-06-25 14:54:58 782345678 623458620530373121
2012-06-25 12:21:56 663236789 4189485991196251138

  1. index=userindex Source=findnode2 returns data as given below :

vcs vcsSId csId

abc.occ analfnafafja-afafa-afafa 3924110063741806337
bac.occ baclfnafafja-afafa-afafa 623458620530373121
cac.occ cadlfnafafja-afafa-afafa 4189485991196251138

  1. index=userindex Source=findnode3 returns data as given below : confid mcrconf host ============================================================= analfnafafja-afafa-afafa nafafja-afafa-afafa host1 baclfnafafja-afafa-afafa nafafja-cabab-atedd host2 cadlfnafafja-afafa-afafa nafafja-lalab-bcdef host3

The mapping from 1 and 2 : sid=vcsSId
The mapping from 2 and 3 : vcsSId=confid

Problem statement :

I want to get a single view of the all the above 3 with unique value by passing the "mid" dynamically using the form view.

I tried joins as given below and it fetches empty results.

index=userindex source=findnode1 | fields timestamp mid sid | join sid [ search source=findnode2 | fields VCS vcsSId csId] | join vcsSId [search source=findnode3 | fields confid mcrconf host] | table mid timestamp sid confid mcrconf host

Please let me know if i am missing something help me on how would i combine to get a single view in a query.

Tags (1)
0 Karma
Highlighted

Re: Ho to get a single report by evaluating 3 saved searches

Legend

Join only works on a common field - and you haven't named common fields between your sources.

Try this:

index=userindex source=find_node_1 
| fields time_stamp mid sid 
| join sid 
  [ search source=find_node_2 
  | rename vcsSId as sid
  | fields VCS sid csId]  
| join sid
   [search source=find_node_3 
   | rename confid as sid
   | fields sid mcrconf host] 
| table mid time_stamp sid mcrconf host

But why do you even need the middle join? Since you didn't use any of the fields from the second join, wouldn't it work as:

index=userindex source=find_node_1 
| fields time_stamp mid sid 
| join sid 
   [search source=find_node_3 
   | rename confid as sid
   | fields sid mcrconf host] 
| table mid time_stamp sid mcrconf host
0 Karma
Highlighted

Re: Ho to get a single report by evaluating 3 saved searches

New Member

Thanks a lot !

The reason for using middle join is to join the sid and , i would need some of the fileds in the final result to get them in the table

0 Karma