How do I join a search with a list of jobnames fro...

mihir_hardas · ‎11-10-2022

How do I join a search with a list of jobnames from a file DepC_listofjobs.csv. This file has only one column which has unique jobnames.

Below command, if I uncomment the line

earliest=-8h index=log-13120-prod-c laas_appId="pbmp.prediction*" "Prediction"

```| join [ inputlookup DepC_listofjobs.csv ]```

| bin _time span=1h

| stats dc(predictionId),dc(jobName), count by _time predictionStatus

mihir_hardas · ‎11-10-2022

The below SPL works but gives very less data than expected

earliest=-2d index=log-13120-prod-c laas_appId="pbmp.prediction*" "Prediction"
| rename jobName as jobname

| join [ inputlookup DepC_listofjobs.csv ]

| bin _time span=1h

| stats dc(predictionId),dc(jobname), count by _time predictionStatus

starcher · ‎11-10-2022

Why are you joining instead of just not using the lookup as a lookup?

mihir_hardas · ‎11-10-2022

I need to expliticity use a join+subsearch because below SPL gives no rows returned

earliest=-8h index=log-13120-prod-c laas_appId="pbmp.prediction*" "Prediction"

| join [ inputlookup DepC_listofjobs.csv ]

| bin _time span=1h

| stats dc(predictionId),dc(jobName), count by _time predictionStatus

sample event in the index is pasted below

2022-11-10 00:18:20.353 [task-25483] INFO c.m.b.p.s.p.PredictionRunner#lambda$run$2 - predictionId=e5e2a703-13c6-4c15-addc-9f2c114733ec, job=PADT-HUB-P-D-G-RS-PTY-ADDR-DLT-INS^PNA predicted as Prediction(predictionId=e5e2a703-13c6-4c15-addc-9f2c114733ec, jobName=PADT-HUB-P-D-G-RS-PTY-ADDR-DLT-INS, instance=PNA, predictionStatus=PREDICTED, predictedStartTime=1668067804, predictedFinishTime=1668067880, predictionExplanation=PREDICTED, predictedAt=1668057500)

How do I join a search with a list of jobnames from a file DepC_listofjobs.csv?

join

lookup

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies