Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you do an outer join of two stats searches?

zebu14
Explorer
‎11-06-2018 05:40 AM

Hello,

I am trying to do an outer join of two searches.

I have 2 server groups (Gateway="opaxvgw1" OR Gateway="opaxvgw2") and (Gateway="opaxvgw3" OR Gateway="opaxvgw4")
For each group, I list the customers by the term "Penta_source".

Then I want to extract the customers that are only present in one of the groups (and eliminate all the customers that are present in both)

Here is my search job, but it doesn't work :

index="axwaydb-prd" sourcetype=AXWAY-Stats Direction=I Gateway="opaxvgw1" OR Gateway="opaxvgw2" | stats count by Penta_source | join type=outer Penta_source [search index="axwaydb-prd" sourcetype=AXWAY-Stats Direction=I Gateway="opaxvgw3" OR Gateway="opaxvgw4" | stats count by Penta_source]

Any idea ?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmaron
Motivator
‎11-06-2018 06:01 AM

Try this: (edited)

index="axwaydb-prd" sourcetype=AXWAY-Stats Direction=I Gateway IN ("opaxvgw1", "opaxvgw2", "opaxvgw3", "opaxvgw4")
| eval Group1 = if(Gateway="opaxvgw1" OR Gateway="opaxvgw2",1,0)
| eval Group2 = if(Gateway="opaxvgw3" OR Gateway="opaxvgw4",1,0)
| stats values(Group1) as Group1 values(Group2) as Group2 count by Penta_source 
| eval GroupCheck = Group1+Group2
| where GroupCheck<2

View solution in original post

Reply
Solved! Jump to solution

zebu14
Explorer
‎11-06-2018 06:05 AM

Just tried and it gives me a lot of customers that are present in each independant search, so NOK.

0 Karma
Reply
Solved! Jump to solution

zebu14
Explorer
‎11-06-2018 06:19 AM

No more success with your update
It's probably even worse (2 more results : 872 at first and 874 then)

I'm supposed to obtain 126 customers (I've already done the job through Excel to compare results)

0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎11-06-2018 06:28 AM

edited again. try once more.

0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎11-06-2018 06:27 AM

oh! I think I see where I went wrong. my apologies.

0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎11-06-2018 06:12 AM

I have edited my previous answer. see if that is more correct.

0 Karma
Reply
Solved! Jump to solution
Solution

kmaron
Motivator
‎11-06-2018 06:01 AM

Try this: (edited)

index="axwaydb-prd" sourcetype=AXWAY-Stats Direction=I Gateway IN ("opaxvgw1", "opaxvgw2", "opaxvgw3", "opaxvgw4")
| eval Group1 = if(Gateway="opaxvgw1" OR Gateway="opaxvgw2",1,0)
| eval Group2 = if(Gateway="opaxvgw3" OR Gateway="opaxvgw4",1,0)
| stats values(Group1) as Group1 values(Group2) as Group2 count by Penta_source 
| eval GroupCheck = Group1+Group2
| where GroupCheck<2
Reply
Solved! Jump to solution

zebu14
Explorer
‎11-06-2018 08:07 AM

This update seems to do the job.
As I still obtain many results, let me check that everything is correct and I'll validate your solution ASAP.

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...