Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Join 2 searches and finding the difference in the output.

arungeorge09
Path Finder
‎12-15-2014 01:54 AM

I want to join 2 queries by a common field and the counts of the searches are different. I want to work on the dataset which does not join.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

arungeorge09
Path Finder
‎12-15-2014 02:12 AM

My two searches are here.

index=xyz event="NEAT-IN" platform="APNS" | join type=inner platform,batch [search index=xyz event="push*"] | stats count(event)

Each individual query count is different but when joined it always counts the joined count as the largest count.

View solution in original post

Reply
Solved! Jump to solution
Solution

arungeorge09
Path Finder
‎12-15-2014 02:12 AM

My two searches are here.

index=xyz event="NEAT-IN" platform="APNS" | join type=inner platform,batch [search index=xyz event="push*"] | stats count(event)

Each individual query count is different but when joined it always counts the joined count as the largest count.

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎12-15-2014 02:23 AM

no need to join, try this:

index=xyz event="NEAT-IN" platform="APNS"  OR event="push*" 
| stats count(eval(event="NEAT-IN")) AS count_NEAT count(eval(event="push*")) AS count_push by platform, batch

cheers, MuS

Reply
Solved! Jump to solution

arungeorge09
Path Finder
‎12-15-2014 04:22 AM

@Mus Executed the query but count_push is coming as zero . Looks like splunk does not do count(eval(event="push*"))

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎12-15-2014 04:33 AM

or try this:

index=xyz event="NEAT-IN" platform="APNS"  OR event="push*" 
 | stats count(eval(event="NEAT-IN")) AS count_NEAT count(eval(if(match(event, push) , 1, 0 ))) AS count_push by platform, batch
0 Karma
Reply
Solved! Jump to solution

arungeorge09
Path Finder
‎12-15-2014 04:48 AM

Now both counts are coming as 578.

Query used:
index=xyz event="NEAT-IN" platform="APNS" OR event="push*"
| stats count(eval(event="NEAT-IN")) AS count_NEAT count(eval(if(match(event, push) , 1, 0 ))) AS count_push by platform

The output is 578,578 . This is not correct @MuS.

It should be 578,488

Any Idea what is happening.

0 Karma
Reply
Solved! Jump to solution

arungeorge09
Path Finder
‎12-15-2014 04:56 AM

NEAT-IN

<167>1 2014-12-14T18:23:49.908-07:00 x.y.com neat 901 apns [meta@28281 sequenceId="69599" sysUpTime="1109890868"][analytics@28281 event="NEAT-IN" platform="APNS"] {"timestamp":"1418606629897","platform":"apns","alertId":"1404841346","appId":"appId","args":{"time":"1418606629788","batch":"48288","tms_id":"tmsId","src":"src"},"deviceToken":"devToken","alert":"Exciting Game"}

pushApns

<167>1 2014-12-14T18:23:49.909-07:00 x.y.com neat 6627 apns [meta@28281 sequenceId="71272" sysUpTime="1109890867"][analytics@28281 event="pushApns" platform="APNS" outcome="0" errorCode="0" errorDesc="Push to apns success" errorContext="TCP-SSL" operation="PUSH_APNS" opTime="0" startTime="1418606629908" appId="appId" deviceToken="devToken" args="{\"time\":\"1418606629788\",\"batch\":\"48288\",\"tms_id\":\"tms_id\",\"src\":\"src\"}" txId="2099269910"]

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎12-15-2014 05:02 AM

this should provide the correct count:

index=xyz event="NEAT-IN" OR event="pushApns" platform="APNS" 
| stats count(eval(event="NEAT-IN")) AS count_NEAT count(event="pushApns") AS count_push
0 Karma
Reply
Solved! Jump to solution

arungeorge09
Path Finder
‎12-15-2014 06:30 AM

Why not the previous one.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎12-15-2014 06:36 AM

because count(event="pushApns") is not the same like count(eval(if(match(event, push) , 1, 0 )))
the first will match only the event field which contains pushApns but the later will match any event field containing push like foopush or pushbaz or pushApns

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

Reply
Solved! Jump to solution

arungeorge09
Path Finder
‎12-15-2014 06:54 AM

But event can be only pushApns or NEAT-IN

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎12-15-2014 04:48 AM

No, can you provide some samples of your events?

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎12-15-2014 04:27 AM

could be try it without the star/wildcard and use the value you need instaed

0 Karma
Reply
Solved! Jump to solution

arungeorge09
Path Finder
‎12-15-2014 02:19 AM

Not understanding how the count got goofed up

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎12-15-2014 02:07 AM

What do you mean by missing ? You lose the rows after you perform a join ?

0 Karma
Reply
Solved! Jump to solution

arungeorge09
Path Finder
‎12-15-2014 02:14 AM

I have 2 searches and there counts are different. I want to find the rows which don't join.

0 Karma
Reply
Solved! Jump to solution

arungeorge09
Path Finder
‎12-15-2014 02:16 AM

event="NEAT-IN" has 578 count
event="pushApns" has only 488 count
I want to know which 578-488 are the missing ones and do further query on them

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...