Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to join two sets of data on a field and get the results that don't have corresponding matching data?

mohankesireddy
Path Finder
‎10-21-2014 11:59 AM

I have two sets of data, both sets have a common field with common value, when i use join command i am able to find the ones which has a matching data, but what i wanted is to find the set of data which dont have a matching hit.

sample query
index=index1 sourcetype=type1 status=503 | join requestid [search index=index1 sourcetype=type2 status=200 ] | table _time requestid

I want to get all the 503 which dont have a corresponding status 200, but have a same request id. when I use join i am getting the ones which have a corresponding 200 but not the ones which dont have one. I am not able to find a command which can do it. Any help is appreciated.

Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-21-2014 12:44 PM

Try this:

index=index1 ((sourcetype=type1 status=503) OR (sourcetype=type2 status=200)) | eventstats dc(status) as dc by requestId | search dc=1 status=503

The eventstats will count how many different status values each requestId has. The final search only keeps status=503 values that don't have a second status, ie no status=200 event for that requestId.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-21-2014 12:44 PM

Try this:

index=index1 ((sourcetype=type1 status=503) OR (sourcetype=type2 status=200)) | eventstats dc(status) as dc by requestId | search dc=1 status=503

The eventstats will count how many different status values each requestId has. The final search only keeps status=503 values that don't have a second status, ie no status=200 event for that requestId.

Reply
Solved! Jump to solution

mohankesireddy
Path Finder
‎10-21-2014 02:35 PM

Thanks Martin, it worked like a charm

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...