Splunk Search

How to lookup the same field from another search and different fields

mia
Explorer

my search as below, the two <my search command for list user rating list> search command is the same, how to reduce this search command.

I want to use once time <my search command for list user rating list>, mean share the same search results for queries. The transaction sellerId and buyerId could look up user of rating list to get the rating data.

<my search command for transaction records>
| dedup orderId
| table  orderId, sellerId, buyerId
| join type=left sellerId
[ search <my search command for list user rating list>
| table sellerId, sellerRating]
| search orderId!=""
| table orderId, sellerId, buyerId, sellerRating
| join type=left buyerId
[ search <my search command for list user rating list>
| table buyerId, buyerRating]
| search orderId!=""
| table orderId, sellerId, buyerId, sellerRating,buyerRating



transaction records maybe like as below

orderId sellerId buyerId
123 John Marry
456 Alex Josh

 

user rating (all user)

user rating
Josh 10
Alex -2
Lisa 1
Marry 3
John 0
Tim 0

 

excepted result

orderId sellerId buyerId sellerRating buyerRating
123 John Marry 0 3
456 Alex Josh -2 10
Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

<my search command for transaction records>
| dedup orderId
| table  orderId, sellerId, buyerId
| append
[ search <my search command for list user rating list>
| table user, rating]
| eval user=if(isnull(sellerId), user, sellerId)
| eventstats values(rating) as sellerRating by user
| eval user=if(isnull(buyerId), user, buyerId)
| eventstats values(rating) as buyerRating by user
| where isnotnull(orderId)
| table orderId, sellerId, buyerId, sellerRating,buyerRating

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

<my search command for transaction records>
| dedup orderId
| table  orderId, sellerId, buyerId
| append
[ search <my search command for list user rating list>
| table user, rating]
| eval user=if(isnull(sellerId), user, sellerId)
| eventstats values(rating) as sellerRating by user
| eval user=if(isnull(buyerId), user, buyerId)
| eventstats values(rating) as buyerRating by user
| where isnotnull(orderId)
| table orderId, sellerId, buyerId, sellerRating,buyerRating
0 Karma

mia
Explorer

Hi, 

thanks for your solution, it's very useful.

I also have a question about

1. when to use join and append 

2. when to use search and where, like search oid!=""  v.s. where isnotnull(orderId)

 

Thanks.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

1) avoid join where possible - it is expensive on resources and slow

2) it depends on your comparison
https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandUsage#Comparing_two_fi...

0 Karma

mia
Explorer

Hi, 

thanks for you explication,I'll review and rewrite my others search query statements.

 

thanks.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...