Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How filter with join ?

Abarny
Path Finder
‎04-20-2017 08:14 AM

hi guys,
I want to filter my request where when logs{}.newStateId!=5 i recover the projects{}.id but this join isn't match and give all projects{}.id . I can't see projects{}.icma cause it takes the values on the first join and i would have all projects{}.icma by projects{}.id.

Can you tell me what wrong on my request :

index="gtav2_projects"    
|fields projects{}.id, projects{}.client.name,projects{}.icma
| stats list(projects{}.id) as projet by projects{}.client.name 
| join[search index="gtav2_projects" projects{}.icma="xxx"]
| join [search index="gta_projets" logs{}.newStateId!=5 
|fields logs{}.projectId 
| rename logs{}.projectId as 'projet' ]
|rename projects{}.client.name as Client|table Client, projet, projects{}.icma

Thanks you very much for your answers,

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-20-2017 08:34 AM

Give this a try

index="gtav2_projects"    [search index="gta_projets" logs{}.newStateId!=5 
 |fields logs{}.projectId ]
| stats list(projects{}.id) as projet by projects{}.client.name 
 | join[search index="gtav2_projects" projects{}.icma="xxx"]
|rename projects{}.client.name as Client|table Client, projet, projects{}.icma

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-20-2017 08:34 AM

Give this a try

index="gtav2_projects"    [search index="gta_projets" logs{}.newStateId!=5 
 |fields logs{}.projectId ]
| stats list(projects{}.id) as projet by projects{}.client.name 
 | join[search index="gtav2_projects" projects{}.icma="xxx"]
|rename projects{}.client.name as Client|table Client, projet, projects{}.icma
Reply
Solved! Jump to solution

Abarny
Path Finder
‎04-20-2017 08:47 AM

It's okay but i don't have projects{}.icma. I have just xxx and 1 ICMA = 1 projectId. Do you know how i can do that ?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-20-2017 09:11 AM

So you want to exclude projects which has projects{}.icma="xxx" Or only include those?

0 Karma
Reply
Solved! Jump to solution

Abarny
Path Finder
‎04-20-2017 09:28 AM

I want find all project about this Client. With projects{}.icma="xxx" I find Client, I recover all projectId about this Client and i would all projects{}.icma because each projectId has an icma.

Thanks you for your answer

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-20-2017 09:34 AM

Try this

index="gtav2_projects"    [search index="gta_projets" logs{}.newStateId!=5 
  |fields logs{}.projectId ]
  | join[search index="gtav2_projects" projects{}.icma="xxx"]
 | stats list(projects{}.id) as projet list(projects{}.icma) as icma by projects{}.client.name 
 |rename projects{}.client.name as Client|table Client, projet, projects{}.icma
Reply
Solved! Jump to solution

Abarny
Path Finder
‎04-20-2017 09:36 AM

I'm so stupid !

Thanks Somesoni2

0 Karma
Reply
Get Updates on the Splunk Community!

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...