Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

JOIN in multi indexes(OR)

joy76
Path Finder
‎03-15-2012 03:20 PM

SPlunk version 4.3

in the Pulldown
host_select :
*
WEBSERVER1
WEBSERVER2
WEBSERVER3

search A : index=webserver1 OR index=webserver2 OR index=webserver3 | search index=$host_select$ | table serverName message method
search B : index=webserver1 | fields + serverName message method | JOIN type=inner message [search index=major_message earliest=-24h | fields + messageType ] OR index=webserver2 OR index=webserver3 | search index=$host_select$ | table serverName message method

search A is working.
search B is working, but its result is different i expected.

Thanks everyone.

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎03-16-2012 01:39 PM

Search A may work, but it is very inefficient. This should do exactly the same thing, but much faster:

index=$host_select$ | table serverName message method

You should be getting results only from the index that you selected.

Search B selects everything from the webserver1 index, but will only keep events that have a matching message in the major_message index. If there is no match, then there will be no events from webserver1. If there is a match, you will get the messageType from the major_message index. I think there may also be a syntax error in this search. After all of that, if it works at all, you will still only get the events from the index you selected. My guess is that you get nothing unless you select webserver1 - and probably you still get nothing from search B.

From looking at search B, I have a few questions:

  • What is major_message? Is it data that would allow you to determine the the type of a message? Where does it come from? Could this data be used as a lookup table? That would be easier than a join.
  • Is the data in webserver1 webserver2 and webserver3indexes completely independent? For these searches, do you want to look at only data from one of them, or do you want to correlate data from across all three? If you only want to look at data from a selected webserver, start the search string with index=$host_select$
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...