Splunk Search

How to join the same sourcetype - Basically inner join with same sourcetype with different type of search string and compare the value (IN) condition. )

shanaiyappan
New Member

I am using the below query to achieve IN condition in same source. Basically I am achieving how many Order has been confirmed from hold. I got what I need but is there a better way of doing in.

In simple words SQL IN query from same table.

sourcetype="sourcetype1*" "called with OrderId : * and OperationType : confirm*" | rex field=message "OrderId : (?.?) and" | table OrderId | join type=inner OrderId
[| search sourcetype="sourcetype1
" "called with OrderId :, Type : mobile and OperationType : hold" | rex field=message "OrderId : (?.*?,)" | table OrderId] |stats count by OrderId.

0 Karma

shanaiyappan
New Member

Thank you for the answer let me check that

0 Karma

arjunpkishore5
Motivator

In your case, just use a subsearch

sourcetype="sourcetype1*" "called with OrderId : and OperationType : confirm" 
    [| search sourcetype="sourcetype1" "called with OrderId :, Type : mobile and OperationType : hold" 
    | rex field=message "query: (?.*?,)" 
    | table query] 
| rex field=message "OrderId : (?.?) and" 
| stats count by OrderId.

In the above sample, the inner search returns order id's which have hold. - https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/Useasubsearch

Why I changed the name to query instead of OrderId in the inner search - https://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...