Splunk Search

How to join this search with our existing search?

splunker9999
Path Finder

Hi,

Need help on a Splunk subsearch.

Below is our Splunk basic search which gives us few fields if it satisfies the below condition:

index=idx sourcetype=jobs NOT "User has reached the per-user job slot limit of the queue" 
|rex field=_raw "loadSched(?<loadSchedule>[\waA-zZ0-9\s\-\.]+)loadStop"
| rex field=loadSchedule "[\d\.\-\s*]{6}(?<util>[\d\.]+)\s"
|fillnull value=0
|rename host to dns_name
    | join type=left dns_name [|inputlookup sas_servers.csv|eval dns_name=lower(dns_name)] 
| search Environment="IPC2 Loyalty"
    | eval totalCount=if(status!="" OR status!=0, jobId, null()) 
| eval pend= if(status="PEND", jobId, null())
| eventstats dc(totalCount) as totalCount, dc(pend) as pend
| eval  pct=(pend/totalCount)*100  
| eval  pct=round(pct,2) 
| eval  PendingPerc=(pct + "%")
| search status="PEND"
| dedup jobId
| rename pend as Totalpendcount
|where pend>25
| table _time dns_name Environment jobId queue status user Totalpendcount util
| rename _time as "Job Submitted"
| convert ctime("Job Submitted")

Now, we have another search below: where we have extracted field name UT

index=idx1  sourcetype=load host="*" ut=*|rename host as dns_name

We need to join this search to the above search such that our table should get values of UT (we need to join this search with host (dns_name) and _time field):

Can some one please help us in getting results for the UT field?

0 Karma

Stevelim
Communicator
base search | appendcols [ search index=idx1  sourcetype=load host="*" ut=*|rename host as dns_name | table dns_name, ut ]
0 Karma

somesoni2
SplunkTrust
SplunkTrust

How about this

index=idx sourcetype=jobs NOT "User has reached the per-user job slot limit of the queue" 
 |rex field=_raw "loadSched(?<loadSchedule>[\waA-zZ0-9\s\-\.]+)loadStop"
 | rex field=loadSchedule "[\d\.\-\s*]{6}(?<util>[\d\.]+)\s"
 |fillnull value=0
 |rename host to dns_name
     | join type=left dns_name [|inputlookup sas_servers.csv|eval dns_name=lower(dns_name)] 
 | search Environment="IPC2 Loyalty"
     | eval totalCount=if(status!="" OR status!=0, jobId, null()) 
 | eval pend= if(status="PEND", jobId, null())
 | eventstats dc(totalCount) as totalCount, dc(pend) as pend
 | eval  pct=(pend/totalCount)*100  
 | eval  pct=round(pct,2) 
 | eval  PendingPerc=(pct + "%")
 | search status="PEND"
 | dedup jobId
 | rename pend as Totalpendcount
 |where pend>25
 | table _time dns_name Environment jobId queue status user Totalpendcount util 
| join type=left dns_name [search  index=idx1  sourcetype=load host="*" ut=*|stats count by host ut | table host ut| rename host as dns_name]
 | rename _time as "Job Submitted"
 | convert ctime("Job Submitted")

splunker9999
Path Finder

Thanks Somesh, now UT field is appended to my table, but I could'nt see any values for UT field.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you confirm if the subsearch is returning result and is matching with main search?

index=idx1  sourcetype=load host="*" ut=*|stats count by host ut | table host ut| rename host as dns_name
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...