Splunk Search

How to get the count of fields from 2 database tables that have one field in common

isha_rastogi
Path Finder

I have a table that counts different versions of products and a second table that has the system type, like Laptop, VDI, etc. I can combine both tables by ID, but as it's unique I don't need this individually.

I need to create a chart something like below

Product Version System count
1.1             20
1.2             13
1.3             17

I'm writing the search like this:

earliest=-24h latest=now index=abc  source=xyz| dedup ID |stats values(RUNNING_VER) as Version | mvexpand Version |join [search earliest=-24h latest=now index=abc source=pqr  | dedup NAME|eval Names=substr(NAME,1,3)|rex field=Names "(?.$)"| search Systems="I" OR Systems="X"|stats count by Systems] 

I'm always getting same count if I use this search. Any help would be greatly appreciated.

Tags (2)
0 Karma

maciep
Champion

I get the impression that you may not know how join works. Typically, you use join to glue to result sets together by one or more fields. It looks like your search is trying to join a result set of just one field called Version to a result set of just two fields called count and Systems. So there's no field for splunk to use to join those together?

Anyway, you may be able to get away with just stats and not use join. Note: it's really hard to come up with a working search without actually seeing your data, but maybe something like this.

earliest=-24h latest=now index=abc (source=xyz OR (source=pqr AND (Systems="I" OR Systems="X")))  
| stats count(Systems) as system_count, values(RUNNING_VER) as product_version by ID 
| stats sum(system_count) by product_version

So get data from both sources initially (assuming the Systems filter is needed for pqr from your search?) . Then use stats to count events from the pqr data and get version from xyz source by the common ID field. And since you may have duplicate versions across IDs (???), just sum the counts from the pqr source by version from xyz.

Hope that helps somewhat.

0 Karma

isha_rastogi
Path Finder

I got it working with join. was missing stats command after joining tables. Thanks for your help. I'll try your solution as well it seems like optimized one

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...