Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to replace join from the below query?

pstalin_
Engager
‎12-02-2020 11:50 PM

index=105261-cli sourcetype=show_system_resources
| dedup deviceId
| eval nexus_percent_used=round(100*memory_used/memory_total)
| eval nexus_status=if(nexus_percent_used>85, "Not OK", "OK")
| fields deviceId, nexus_percent_used, nexus_status
| append
[ search index=105261-cli sourcetype=show_memory_statistics
| dedup deviceId
| eval ios_percent_used=round(100*used/total)
| eval ios_status=if(ios_percent_used>85, "Not OK", "OK")
| fields deviceId, ios_percent_used, ios_status ]
| join deviceId
[ search index=105261-np sourcetype=device_details
| fields deviceId, productFamily, swVersion, deviceName ]
| eval percent_used=if(like(productFamily, "%Nexus%"), nexus_percent_used, ios_percent_used)
| eval status=if(like(productFamily, "%Nexus%"), nexus_status, ios_status)
| table deviceName, productFamily, swVersion, percent_used, status
| sort -percent_used

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎12-02-2020 11:57 PM

Did you see my reply to your other similar question https://community.splunk.com/t5/Splunk-Search/How-to-replace-join-command-with-any-other-alternative...

The same principle would apply to this search also.

 

0 Karma
Reply

pstalin_
Engager
‎12-03-2020 03:29 AM

(index=148031-cli sourcetype=show_system_resources) OR (index=14031-cli sourcetype=show_memory_statistics) OR (index=148031-np sourcetype=device_details)
|fields deviceId,memory_used,memory_total,used,total,productFamily, swVersion, deviceName
| stats latest(*) as * by deviceId
| eval nexus_percent_used=round(100*memory_used/memory_total)
| eval nexus_status=if(nexus_percent_used > 85, "Not OK", "OK")
| eval ios_percent_used=round(100*used/total)
| eval ios_status=if(ios_percent_used > 85, "Not OK", "OK")
| eval percent_used=if(like(productFamily, "%Nexus%"), nexus_percent_used, ios_percent_used)
| eval status=if(like(productFamily, "%Nexus%"), nexus_status, ios_status)
| table deviceName, productFamily, swVersion, percent_used, status
| sort -percent_used

Tags (1)
0 Karma
Reply

pstalin_
Engager
‎12-04-2020 09:08 PM

@bowesmana Hi I have tried the query as u said before but still I'm not getting the exact events count as I got when I used join. Could you please help me in solving this?

(index=148031-cli sourcetype=show_system_resources) OR (index=14031-cli sourcetype=show_memory_statistics) OR (index=148031-np sourcetype=device_details)
|fields deviceId,memory_used,memory_total,used,total,productFamily, swVersion, deviceName
| stats latest(*) as * by deviceId
| eval nexus_percent_used=round(100*memory_used/memory_total)
| eval nexus_status=if(nexus_percent_used > 85, "Not OK", "OK")
| eval ios_percent_used=round(100*used/total)
| eval ios_status=if(ios_percent_used > 85, "Not OK", "OK")
| eval percent_used=if(like(productFamily, "%Nexus%"), nexus_percent_used, ios_percent_used)
| eval status=if(like(productFamily, "%Nexus%"), nexus_status, ios_status)
| table deviceName, productFamily, swVersion, percent_used, status
| sort -percent_used

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎12-06-2020 03:01 PM

You will need to give an example of the data and some outcomes of the searches otherwise it's hard to diagnose the query

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...