Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Ignore results that do not appear in a separate search

Amohlmann
Communicator
‎04-23-2015 03:36 PM

A quick run down of what I want first:
I have a bunch of data flowing in for production, test, and training environments. I would like to filter out the test and training environments. Each environment has a unique ID which I would like to cross reference from a database using DBX. Then run stats on the remaining results

The two searches I want to combine:

 host=MASTER *error* Message=$ErrorSelection$|stats count by siteID|sort -num(count)

And

| dbquery "SQLDB" "SELECT * FROM SubscriptionTable WHERE IsProduction=1"

I would like to join both searches by their "siteID" then only display the sitesIDs that have IsProduction=1

0 Karma
Reply

stephane_cyrill
Builder
‎04-23-2015 05:47 PM

remove the pipe between search and dbquery
In the answer of NOUMSSI.

0 Karma
Reply

NOUMSSI
Builder
‎04-23-2015 03:44 PM

Hi try this:

host=MASTER *error* Message=$ErrorSelection$|stats count by siteID|sort -num(count) | join [search | dbquery "SQLDB" "SELECT * FROM SubscriptionTable WHERE IsProduction=1"]
Reply

NOUMSSI
Builder
‎04-23-2015 05:08 PM

ok try this:

host=MASTER *error* Message=$ErrorSelection$|stats count by siteID|sort -num(count) | join [search  dbquery "SQLDB" "SELECT * FROM SubscriptionTable WHERE IsProduction=1"]

I've just remove pipe

0 Karma
Reply

Amohlmann
Communicator
‎04-23-2015 03:57 PM

I get the following error:
Error in 'dbquery' command: This command must be the first command of a search.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...