Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

JOIN in multi indexes(OR)

joy76
Path Finder
‎03-15-2012 03:20 PM

SPlunk version 4.3

in the Pulldown
host_select :
*
WEBSERVER1
WEBSERVER2
WEBSERVER3

search A : index=webserver1 OR index=webserver2 OR index=webserver3 | search index=$host_select$ | table serverName message method
search B : index=webserver1 | fields + serverName message method | JOIN type=inner message [search index=major_message earliest=-24h | fields + messageType ] OR index=webserver2 OR index=webserver3 | search index=$host_select$ | table serverName message method

search A is working.
search B is working, but its result is different i expected.

Thanks everyone.

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎03-16-2012 01:39 PM

Search A may work, but it is very inefficient. This should do exactly the same thing, but much faster:

index=$host_select$ | table serverName message method

You should be getting results only from the index that you selected.

Search B selects everything from the webserver1 index, but will only keep events that have a matching message in the major_message index. If there is no match, then there will be no events from webserver1. If there is a match, you will get the messageType from the major_message index. I think there may also be a syntax error in this search. After all of that, if it works at all, you will still only get the events from the index you selected. My guess is that you get nothing unless you select webserver1 - and probably you still get nothing from search B.

From looking at search B, I have a few questions:

  • What is major_message? Is it data that would allow you to determine the the type of a message? Where does it come from? Could this data be used as a lookup table? That would be easier than a join.
  • Is the data in webserver1 webserver2 and webserver3indexes completely independent? For these searches, do you want to look at only data from one of them, or do you want to correlate data from across all three? If you only want to look at data from a selected webserver, start the search string with index=$host_select$
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...