Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get matching AND non matching events with left join

claudiaG
Engager
‎10-15-2023 11:28 PM

Hi I have the use case that i need to find some direct links between different events of the same index and sourcetype.

The result should show me three different bars:

  • bar 1: count of the existing links (incl. filter criteria matching)
  • bar 2: count of the existing links where filter criteria dont match
  • bar 3: count of the events where there is no existing link at all

I came so far to make use of the "left join" to not loose the "not matching" events but now I dont know how to differiance them into a bar diagram or with an if condition to count them. It needs to be counted weekly. Can you help me please?

This is my current query state:

index=A
| rename Name as TargetName
| join type=left max=0 TargetName
   [ search index=A
   | fields TargetName ID Status]
| join type=left SourceID
   [ search index=A
   | fields SourceID, type]
| join type=left TargetID
   [ search index=A
   | fields TargetID]
| bin span=1w@w0 _time
| eval state=if(match(status,"Done") OR match(status,"Pending"), "Link + State is there", if (NOT match(status,"Done") OR NOT match(status,"Pending"), "State is missing", "No Link"))
| dedup ID _time sortby -state
| timechart span=1w@w0 count by state

Somehow I can not make it work to get all "non matching" aka. the "No Link" events. Is the "if" the right way to get what I need? Do i need to add another "eval" within each join? And if yes, how to do that?

Thank you for every help!

This should be my result (see screenshot).

Labels (5)
Labels
Preview file
14 KB
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-15-2023 11:43 PM

Hi @claudiaG ,

probably my hint will not cover your requisite, but using a search with three joins, you'll wait for hours.

Did you tried to correlate events using stats?

see my approach and try to adapt it to your Use Case, remembering that Splunk isn't a DB.

something like this:

index=A
| rename Name as TargetName
| bin span=1w@w0 _time
| stats 
   values(Status) AS Status
   dc(Status) AS Status_count
   values(SourceID) AS SourceID
   values(type) AS type
   BY TargetID _time
| eval state=case(
   Status_count=1, Status,
   match(status,"Done") OR match(status,"Pending"), "Link + State is there",
   NOT match(status,"Done") OR NOT match(status,"Pending"), "State is missing",
   1=1, "No Lynk")
| timechart span=1w@w0 count by state

Ciao.

Giuseppe

Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-15-2023 11:45 PM
Hi
one old answer about joins in splunk.
https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-joi...
r. Ismo
0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...