Splunk Search

How do I join a search with a list of jobnames from a file DepC_listofjobs.csv?

mihir_hardas
Explorer

How do I join a search with a list of jobnames from a file DepC_listofjobs.csv. This file has only one column which has unique jobnames.

 

Below command, if I uncomment the line

earliest=-8h index=log-13120-prod-c laas_appId="pbmp.prediction*" "Prediction"

```| join [ inputlookup DepC_listofjobs.csv ]```

 

 | bin _time span=1h

 

 | stats dc(predictionId),dc(jobName), count by _time  predictionStatus

Labels (2)
0 Karma

mihir_hardas
Explorer

The below SPL works but gives very less data than expected

earliest=-2d index=log-13120-prod-c laas_appId="pbmp.prediction*" "Prediction"
| rename jobName as jobname

| join [ inputlookup DepC_listofjobs.csv ]

| bin _time span=1h

| stats dc(predictionId),dc(jobname), count by _time predictionStatus

0 Karma

starcher
Influencer

Why are you joining instead of just not using the lookup as a lookup?

0 Karma

mihir_hardas
Explorer

I need to expliticity use a join+subsearch because below SPL gives no rows returned

earliest=-8h index=log-13120-prod-c laas_appId="pbmp.prediction*" "Prediction"

| join [ inputlookup DepC_listofjobs.csv ]

 

 | bin _time span=1h

 

 | stats dc(predictionId),dc(jobName), count by _time  predictionStatus


sample event in the index is pasted below

2022-11-10 00:18:20.353 [task-25483] INFO c.m.b.p.s.p.PredictionRunner#lambda$run$2 - predictionId=e5e2a703-13c6-4c15-addc-9f2c114733ec, job=PADT-HUB-P-D-G-RS-PTY-ADDR-DLT-INS^PNA predicted as Prediction(predictionId=e5e2a703-13c6-4c15-addc-9f2c114733ec, jobName=PADT-HUB-P-D-G-RS-PTY-ADDR-DLT-INS, instance=PNA, predictionStatus=PREDICTED, predictedStartTime=1668067804, predictedFinishTime=1668067880, predictionExplanation=PREDICTED, predictedAt=1668057500)

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...