Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I join a search with a list of jobnames from a file DepC_listofjobs.csv?

mihir_hardas
Explorer
‎11-10-2022 02:51 AM

How do I join a search with a list of jobnames from a file DepC_listofjobs.csv. This file has only one column which has unique jobnames.

 

Below command, if I uncomment the line

earliest=-8h index=log-13120-prod-c laas_appId="pbmp.prediction*" "Prediction"

```| join [ inputlookup DepC_listofjobs.csv ]```

 

 | bin _time span=1h

 

 | stats dc(predictionId),dc(jobName), count by _time  predictionStatus

Labels (2)
Labels
0 Karma
Reply

mihir_hardas
Explorer
‎11-10-2022 05:22 AM

The below SPL works but gives very less data than expected

earliest=-2d index=log-13120-prod-c laas_appId="pbmp.prediction*" "Prediction"
| rename jobName as jobname

| join [ inputlookup DepC_listofjobs.csv ]

| bin _time span=1h

| stats dc(predictionId),dc(jobname), count by _time predictionStatus

0 Karma
Reply

starcher
Influencer
‎11-10-2022 04:28 AM

Why are you joining instead of just not using the lookup as a lookup?

0 Karma
Reply

mihir_hardas
Explorer
‎11-10-2022 05:12 AM

I need to expliticity use a join+subsearch because below SPL gives no rows returned

earliest=-8h index=log-13120-prod-c laas_appId="pbmp.prediction*" "Prediction"

| join [ inputlookup DepC_listofjobs.csv ]

 

 | bin _time span=1h

 

 | stats dc(predictionId),dc(jobName), count by _time  predictionStatus


sample event in the index is pasted below

2022-11-10 00:18:20.353 [task-25483] INFO c.m.b.p.s.p.PredictionRunner#lambda$run$2 - predictionId=e5e2a703-13c6-4c15-addc-9f2c114733ec, job=PADT-HUB-P-D-G-RS-PTY-ADDR-DLT-INS^PNA predicted as Prediction(predictionId=e5e2a703-13c6-4c15-addc-9f2c114733ec, jobName=PADT-HUB-P-D-G-RS-PTY-ADDR-DLT-INS, instance=PNA, predictionStatus=PREDICTED, predictedStartTime=1668067804, predictedFinishTime=1668067880, predictionExplanation=PREDICTED, predictedAt=1668057500)

0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...