How to combine the results of a query to matching ...

nikhilhanda · ‎05-07-2016

first search:
index=prod |table assetId,SIZE,FORMAT,_time,processingHint |where assetId!="null"|outputlookup assetId_format_time.csv

second search
index =prod host=* [| inputlookup assetId_format_time.csv | fields+ assetId] | table assetId,clientId,mime,UserClientId,FORMAT,SIZE,_time,processingHint

but in second search results only clientId,mime,UserClientId should be from second search, and assetId,FORMAT,SIZE,_time,processingHint should be from the inputlookup table.

sundareshr · ‎05-07-2016

Try the join command, like this

index =prod host=* | join assedId [| inputlookup assetId_format_time.csv ] | table assetId,clientId,mime,UserClientId,FORMAT,SIZE,_time,processingHint

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join

nikhilhanda · ‎05-08-2016

I have tried the join command but results are not which i require.
What i require is that clientId,mime,UserClientId should get appended to matching assetId values in the table assetId_format_time.csv the table contains 4 columns including assetId column. resulting into a table which has total of 7 columns.

Thanks

How to combine the results of a query to matching fields of a column of an inputlookup csv file?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!