Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to join two sets of data on a field and get the results that don't have corresponding matching data?

mohankesireddy
Path Finder
‎10-21-2014 11:59 AM

I have two sets of data, both sets have a common field with common value, when i use join command i am able to find the ones which has a matching data, but what i wanted is to find the set of data which dont have a matching hit.

sample query
index=index1 sourcetype=type1 status=503 | join requestid [search index=index1 sourcetype=type2 status=200 ] | table _time requestid

I want to get all the 503 which dont have a corresponding status 200, but have a same request id. when I use join i am getting the ones which have a corresponding 200 but not the ones which dont have one. I am not able to find a command which can do it. Any help is appreciated.

Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-21-2014 12:44 PM

Try this:

index=index1 ((sourcetype=type1 status=503) OR (sourcetype=type2 status=200)) | eventstats dc(status) as dc by requestId | search dc=1 status=503

The eventstats will count how many different status values each requestId has. The final search only keeps status=503 values that don't have a second status, ie no status=200 event for that requestId.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-21-2014 12:44 PM

Try this:

index=index1 ((sourcetype=type1 status=503) OR (sourcetype=type2 status=200)) | eventstats dc(status) as dc by requestId | search dc=1 status=503

The eventstats will count how many different status values each requestId has. The final search only keeps status=503 values that don't have a second status, ie no status=200 event for that requestId.

Reply
Solved! Jump to solution

mohankesireddy
Path Finder
‎10-21-2014 02:35 PM

Thanks Martin, it worked like a charm

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...