Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to lookup the same field from another search and different fields

mia
Explorer
‎05-22-2024 04:12 AM

my search as below, the two <my search command for list user rating list> search command is the same, how to reduce this search command.

I want to use once time <my search command for list user rating list>, mean share the same search results for queries. The transaction sellerId and buyerId could look up user of rating list to get the rating data.

<my search command for transaction records>
| dedup orderId
| table  orderId, sellerId, buyerId
| join type=left sellerId
[ search <my search command for list user rating list>
| table sellerId, sellerRating]
| search orderId!=""
| table orderId, sellerId, buyerId, sellerRating
| join type=left buyerId
[ search <my search command for list user rating list>
| table buyerId, buyerRating]
| search orderId!=""
| table orderId, sellerId, buyerId, sellerRating,buyerRating



transaction records maybe like as below

orderId sellerId buyerId
123 John Marry
456 Alex Josh

 

user rating (all user)

user rating
Josh 10
Alex -2
Lisa 1
Marry 3
John 0
Tim 0

 

excepted result

orderId sellerId buyerId sellerRating buyerRating
123 John Marry 0 3
456 Alex Josh -2 10
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-22-2024 05:16 AM

Try something like this

<my search command for transaction records>
| dedup orderId
| table  orderId, sellerId, buyerId
| append
[ search <my search command for list user rating list>
| table user, rating]
| eval user=if(isnull(sellerId), user, sellerId)
| eventstats values(rating) as sellerRating by user
| eval user=if(isnull(buyerId), user, buyerId)
| eventstats values(rating) as buyerRating by user
| where isnotnull(orderId)
| table orderId, sellerId, buyerId, sellerRating,buyerRating

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-22-2024 05:16 AM

Try something like this

<my search command for transaction records>
| dedup orderId
| table  orderId, sellerId, buyerId
| append
[ search <my search command for list user rating list>
| table user, rating]
| eval user=if(isnull(sellerId), user, sellerId)
| eventstats values(rating) as sellerRating by user
| eval user=if(isnull(buyerId), user, buyerId)
| eventstats values(rating) as buyerRating by user
| where isnotnull(orderId)
| table orderId, sellerId, buyerId, sellerRating,buyerRating
0 Karma
Reply
Solved! Jump to solution

mia
Explorer
‎05-22-2024 10:19 AM

Hi, 

thanks for your solution, it's very useful.

I also have a question about

1. when to use join and append 

2. when to use search and where, like search oid!=""  v.s. where isnotnull(orderId)

 

Thanks.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-22-2024 10:26 AM

1) avoid join where possible - it is expensive on resources and slow

2) it depends on your comparison
https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandUsage#Comparing_two_fi...

0 Karma
Reply
Solved! Jump to solution

mia
Explorer
‎05-22-2024 06:41 PM

Hi, 

thanks for you explication,I'll review and rewrite my others search query statements.

 

thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...