Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Join index's together.

jerinvarghese
Communicator
‎08-07-2020 05:25 AM

HI all,

I have 2 index, that have same common field together.  I want to join both together.

Query 1: 

 

 

index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" 
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| table nodelabel, Status, Time

 

 

Query 2 : 

 

 

index=itsm sourcetype=remedy_midtier
| rename _time as Time
| fieldformat Time=strftime(Time,"%Y-%m-%d %l:%M:%S %p")
| table nodelabel, Incident_Number, Time

 

 

Output table 1: 

nodelabel Status Time

CASCOUp2020-08-07 5:45:28 PM
AERIBUp2020-08-07 5:30:05 PM
CNPYUUp2020-08-07 5:34:41 PM


Output Table 2: 

nodelabel Incident_Number Time

CASCOINC0000138500382020-08-07 5:45:28 PM
CNPTTINC0000138500322020-08-07 5:34:42 PM
CNPYUINC0000138500322020-08-07 5:34:41 PM

 

 expected output: 

nodelabel Incident_Number Status Time

CASCOINC000013850038UP2020-08-07 5:45:28 PM
CNPTTINC000013850032 2020-08-07 5:34:42 PM
CNPYUINC000013850032UP2020-08-07 5:34:41 PM

 

I used join inner command but it failed. please help me in the join function. here nodelabel should be the common factor.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-07-2020 05:35 AM

Hi @jerinvarghese,

you could use the join command

index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" 
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| table nodelabel Status Time 
| join nodelabel [ search 
     index=itsm sourcetype=remedy_midtier
     | rename _time as Time
     | fieldformat Time=strftime(Time,"%Y-%m-%d %l:%M:%S %p")
     | table nodelabel Incident_Number Time 
     ]
| table table nodelabel Incident_Number Status Time

but I don't like because  it's very slow and there's the limit of 50,000 results in subsearch.

So I hint to explore a different approach using the stats command:

(index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown") OR (index=itsm sourcetype=remedy_midtier) 
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time values(Incident_Number) AS Incident_Number latest(Status) as Status by nodelabel
| table table nodelabel Incident_Number Status Time

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-07-2020 05:35 AM

Hi @jerinvarghese,

you could use the join command

index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" 
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| table nodelabel Status Time 
| join nodelabel [ search 
     index=itsm sourcetype=remedy_midtier
     | rename _time as Time
     | fieldformat Time=strftime(Time,"%Y-%m-%d %l:%M:%S %p")
     | table nodelabel Incident_Number Time 
     ]
| table table nodelabel Incident_Number Status Time

but I don't like because  it's very slow and there's the limit of 50,000 results in subsearch.

So I hint to explore a different approach using the stats command:

(index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown") OR (index=itsm sourcetype=remedy_midtier) 
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time values(Incident_Number) AS Incident_Number latest(Status) as Status by nodelabel
| table table nodelabel Incident_Number Status Time

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jerinvarghese
Communicator
‎08-07-2020 06:15 AM

Hi @gcusello 

thanks for the reply, i got the output, but there is a problem, output ignores all those values which doesn't have Incidnet_number.

I need those nodelabel as well with blank value for Incident_number. 

please help in that

i used below command, hope this is right method.

| join type=outer nodelabel 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-07-2020 08:05 AM

Hi @jerinvarghese,

as I said, I don't like join so I prefer the second solution that I hint to explore and use:

you are using a DB approach, but Splunk isn't a DB!

About your problem, did you tried to invert the two searches?

Ciao.

Giuseppe

P.s.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...