Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I split the output of the join in Splunk

arungeorge09
Path Finder
‎09-07-2015 12:01 AM

I have a splunk join between a synchornous event and an asynchornous event. The only join condition between these are just a correlation id. I am able to get the join but I want to now know what are the actual reason which caused it and would like to see the part of a join . How do I do that.

index=xyz platform=apns batch=496 event="NEAT-IN"  | join type=outer alertId [ search index=xyz event=cloudPns*  ] | stats count by responseCode

Now if the responseCode is 8 then I have a problem but I want to see all the events with event=cloudPns* alone for this join condition .

I tried where but it gave me 0 results.
what I tried is this:

index=qa-speed platform=apns batch=496 event="NEAT-IN"  | join type=outer alertId [ search index=qa-speed event=cloudPns*  ] |search where event=cloudPns*

How do I achieve this . I basically want to see the output of the right part of the join.

Tags (2)
0 Karma
Reply

lquinn
Contributor
‎09-07-2015 06:49 AM

Using the join command will literally join events together so you cannot then search only for part of an event. If you wanted to return the raw event from the righthand join you could maybe rename the _raw field before the join and then table it like this:

 index=qa-speed platform=apns batch=496 event="NEAT-IN"  | join type=outer alertId [ search index=qa-speed event=cloudPns* | rename _raw AS rawEvent ] | table rawEvent
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...