Ignore results that do not appear in a separate se...

Amohlmann · ‎04-23-2015

A quick run down of what I want first:
I have a bunch of data flowing in for production, test, and training environments. I would like to filter out the test and training environments. Each environment has a unique ID which I would like to cross reference from a database using DBX. Then run stats on the remaining results

The two searches I want to combine:

 host=MASTER *error* Message=$ErrorSelection$|stats count by siteID|sort -num(count)

And

| dbquery "SQLDB" "SELECT * FROM SubscriptionTable WHERE IsProduction=1"

I would like to join both searches by their "siteID" then only display the sitesIDs that have IsProduction=1

stephane_cyrill · ‎04-23-2015

remove the pipe between search and dbquery
In the answer of NOUMSSI.

NOUMSSI · ‎04-23-2015

Hi try this:

host=MASTER *error* Message=$ErrorSelection$|stats count by siteID|sort -num(count) | join [search | dbquery "SQLDB" "SELECT * FROM SubscriptionTable WHERE IsProduction=1"]

NOUMSSI · ‎04-23-2015

ok try this:

host=MASTER *error* Message=$ErrorSelection$|stats count by siteID|sort -num(count) | join [search  dbquery "SQLDB" "SELECT * FROM SubscriptionTable WHERE IsProduction=1"]

I've just remove pipe

Amohlmann · ‎04-23-2015

I get the following error:
Error in 'dbquery' command: This command must be the first command of a search.

Ignore results that do not appear in a separate search

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio