Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to join this search with our existing search?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to join this search with our existing search?
splunker9999
Path Finder
07-11-2016
02:09 PM
Hi,
Need help on a Splunk subsearch.
Below is our Splunk basic search which gives us few fields if it satisfies the below condition:
index=idx sourcetype=jobs NOT "User has reached the per-user job slot limit of the queue"
|rex field=_raw "loadSched(?<loadSchedule>[\waA-zZ0-9\s\-\.]+)loadStop"
| rex field=loadSchedule "[\d\.\-\s*]{6}(?<util>[\d\.]+)\s"
|fillnull value=0
|rename host to dns_name
| join type=left dns_name [|inputlookup sas_servers.csv|eval dns_name=lower(dns_name)]
| search Environment="IPC2 Loyalty"
| eval totalCount=if(status!="" OR status!=0, jobId, null())
| eval pend= if(status="PEND", jobId, null())
| eventstats dc(totalCount) as totalCount, dc(pend) as pend
| eval pct=(pend/totalCount)*100
| eval pct=round(pct,2)
| eval PendingPerc=(pct + "%")
| search status="PEND"
| dedup jobId
| rename pend as Totalpendcount
|where pend>25
| table _time dns_name Environment jobId queue status user Totalpendcount util
| rename _time as "Job Submitted"
| convert ctime("Job Submitted")
Now, we have another search below: where we have extracted field name UT
index=idx1 sourcetype=load host="*" ut=*|rename host as dns_name
We need to join this search to the above search such that our table should get values of UT (we need to join this search with host (dns_name) and _time field):
Can some one please help us in getting results for the UT field?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stevelim
Communicator
07-12-2016
04:22 AM
base search | appendcols [ search index=idx1 sourcetype=load host="*" ut=*|rename host as dns_name | table dns_name, ut ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-11-2016
02:21 PM
How about this
index=idx sourcetype=jobs NOT "User has reached the per-user job slot limit of the queue"
|rex field=_raw "loadSched(?<loadSchedule>[\waA-zZ0-9\s\-\.]+)loadStop"
| rex field=loadSchedule "[\d\.\-\s*]{6}(?<util>[\d\.]+)\s"
|fillnull value=0
|rename host to dns_name
| join type=left dns_name [|inputlookup sas_servers.csv|eval dns_name=lower(dns_name)]
| search Environment="IPC2 Loyalty"
| eval totalCount=if(status!="" OR status!=0, jobId, null())
| eval pend= if(status="PEND", jobId, null())
| eventstats dc(totalCount) as totalCount, dc(pend) as pend
| eval pct=(pend/totalCount)*100
| eval pct=round(pct,2)
| eval PendingPerc=(pct + "%")
| search status="PEND"
| dedup jobId
| rename pend as Totalpendcount
|where pend>25
| table _time dns_name Environment jobId queue status user Totalpendcount util
| join type=left dns_name [search index=idx1 sourcetype=load host="*" ut=*|stats count by host ut | table host ut| rename host as dns_name]
| rename _time as "Job Submitted"
| convert ctime("Job Submitted")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunker9999
Path Finder
07-12-2016
10:26 AM
Thanks Somesh, now UT field is appended to my table, but I could'nt see any values for UT field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-12-2016
10:52 AM
Can you confirm if the subsearch is returning result and is matching with main search?
index=idx1 sourcetype=load host="*" ut=*|stats count by host ut | table host ut| rename host as dns_name
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Unlock What’s Next: The Splunk Cloud Platform at .conf25
In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...
