Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to join and read input from csv?

GhanaRusk
Engager
‎02-21-2023 10:13 PM

I've a query

 

index="main" app="student-api" "tags.path"=/enroll "response"=succcess

 

which also gives a trace_id

and then I've

 

index="main" app="student-api"

 

which gives a student_id.

I want to get the latest timestamp of enrollment (by joining the results) for each student_id (stored in a csv).

The output would look like -

student_id| latest timestamp of enrollment

Please suggest the steps to follow. I tried

 

index="main" app="student-api" tags.student_id | join type=inner trace_id
[| search index="main" app="student-api" "tags.path"="/enroll" "response"=success]

 

for the join, but it's not yielding the result. Also how to inputlookup the student_id from csv?

Appreciate your help with this. Thanks

@ITWhisperer @gcusello 

Labels (2)
Labels
0 Karma
Reply

GhanaRusk
Engager
‎02-21-2023 11:28 PM

also inside if should those be == vs =?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-21-2023 11:29 PM

You don't need to use == 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-21-2023 10:51 PM

It's not totally clear what 3 bits of data come from each place

index="main" app="student-api" tags.student_id

gives you a student id AND a trace_id?

index="main" app="student-api" "tags.path"="/enroll" "response"=success

gives you a trace_id but no student id

What information do you need from this event if you plan to get the latest timestamp of enrollment from the CSV?

Its a good idea to avoid using join - normally you join datasets in Splunk with the stats command, e.g.

index="main" app="student-api" (tags.student_id OR "tags.path"="/enroll" response=success)
| stats values(student_id) as student_id
        max(eval(if("tags.path"="/enroll" AND response=success, _time, null()))) as last_enrollment by trace_id

This searches both data sets and will give you the last time when an event had a successful enrollment for any given trace id and the value of any associated student id for that trace id.

If you want to look things up from a lookup file use

| lookup mylookup.csv student_id

where student_id is a field in the lookup and your data

0 Karma
Reply

GhanaRusk
Engager
‎02-21-2023 11:04 PM 
index="main" app="student-api" tags.student_id
gives you a student id AND a trace_id?

Correct

index="main" app="student-api" "tags.path"="/enroll" "response"=success
gives you a trace_id but no student id

Correct

What information do you need from this event if you plan to get the latest timestamp of enrollment from the CSV?

I get only the student_id from csv

I want the latest date of successful enrollment  for a given student id.

I'll give your query a try - thanks

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-21-2023 11:31 PM

If you have the student id from the event search 

index="main" app="student-api" tags.student_id

what is your purpose for the CSV lookup?

0 Karma
Reply

GhanaRusk
Engager
‎02-21-2023 11:32 PM

We'd like to get only the latest enrollment success dates for students in the csv

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-21-2023 11:38 PM

I still don't get it, but maybe I don't need to - your search that searches your index for /enroll - isn't that giving you the latest date?

0 Karma
Reply

GhanaRusk
Engager
‎02-21-2023 11:53 PM

I get - 

Error in 'stats' command: The eval expression for dynamic field 'if("tags.path"="/enroll" AND "response"=success, _time, null())' is invalid. Error='Type checking failed. The '==' operator received different types.'.

But if I do this 

"tags.path"=="/enroll" AND "response"=="success"

it gets past that error and runs.

So to explain it say the csv has - student1 and student2
I'd like to get the latest enrollment date for those 2 students. 
Now, since index="main" app="student-api" "tags.path"="/enroll" "response"=success doesn't allow us to filter by student_id, I am trying to get the trace_id from that query, join it with index="main" app="student-api" (which allows us to filter by student_id)  based on that trace_id and then use the 2 ids from the csv to filter on that result.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-22-2023 12:17 AM

The error was caused by not quoting "success", it should have been

max(eval(if("tags.path"="/enroll" AND response="success", _time, null())))
0 Karma
Reply

GhanaRusk
Engager
‎02-22-2023 12:45 AM

thanks that was it. 

Now the query is not yielding any result still - curious where does it "join" by trace_id? is `by trace_id` on stats enough?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-22-2023 01:42 AM

Please post an example of a data event and the search you are running - also please mask any sensitive information.

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...