Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add fields from subsearch ? Used Join but didnt work ...

kshanky143
Path Finder
‎03-12-2015 10:39 AM

I have a subsearch which returns a table with 2 columns 'input' and 'Time'. Table from subsearch looks like this.
input ---------------- Time
Movie1 ---------------- 2
Movie2 ---------------- 2
Movie3 ---------------- 2

Now i would like to return input and Time fields to my main search. As shown below, i'm using join to return input and Time, but it doesn't show any results. I would like to know if im doing anything wrong here ? or is there any better approach to get this done.

index=cas OR index=vod (sourcetype=ch AND input=) OR (sourcetype=ac AND id= AND code=) OR (sourcetype=hy AND ruid=)| join ,input, TimeInHours [search sourcetype=ch input=* | chart latest(Status) as stat earliest(_time) as earliest by input| eval Time=round(((now()-earliest)/60)/60) | where match(stat, "Failed") | table input,Time]

Thanks
Sheshank

Tags (3)
0 Karma
Reply

vasanthmss
Motivator
‎03-12-2015 10:58 AM

Hi,

What's the common field? I can see that common field TimeInHours is not available in the table result.

index=cas OR index=vod (sourcetype=ch AND input=) OR (sourcetype=ac AND id= AND code=) OR (sourcetype=hy AND ruid=)| join ,input, TimeInHours [search sourcetype=ch input=* | chart latest(Status) as stat earliest(_time) as earliest by input| eval Time=round(((now()-earliest)/60)/60) | where match(stat, "Failed") | table input,Time]

Assuming input is the only common field in both the searches, 

index=cas OR index=vod (sourcetype=ch AND input=) OR (sourcetype=ac AND id= AND code=) OR (sourcetype=hy AND ruid=)| join input, TimeInHours [search sourcetype=ch input=* | chart latest(Status) as stat earliest(_time) as earliest by input| eval Time=round(((now()-earliest)/60)/60) | where match(stat, "Failed") | table input,Time]

execute the searches and check it manually input has common values,

Search 1: 
     index=cas OR index=vod (sourcetype=ch AND input=) OR (sourcetype=ac AND id= AND code=) OR (sourcetype=hy AND ruid=) | table input

Search 2:
sourcetype=ch input=* | chart latest(Status) as stat earliest(_time) as earliest by input| eval Time=round(((now()-earliest)/60)/60) | where match(stat, "Failed") | table input,Time
V
0 Karma
Reply

kshanky143
Path Finder
‎03-12-2015 11:18 AM

Hi

I dont have Time field at all to join. Thats what i have just realized now. Your answer makes more sense now.
Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...