Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Join index's together.

jerinvarghese
Communicator
‎08-07-2020 05:25 AM

HI all,

I have 2 index, that have same common field together.  I want to join both together.

Query 1: 

 

 

index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" 
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| table nodelabel, Status, Time

 

 

Query 2 : 

 

 

index=itsm sourcetype=remedy_midtier
| rename _time as Time
| fieldformat Time=strftime(Time,"%Y-%m-%d %l:%M:%S %p")
| table nodelabel, Incident_Number, Time

 

 

Output table 1: 

nodelabel Status Time

CASCOUp2020-08-07 5:45:28 PM
AERIBUp2020-08-07 5:30:05 PM
CNPYUUp2020-08-07 5:34:41 PM


Output Table 2: 

nodelabel Incident_Number Time

CASCOINC0000138500382020-08-07 5:45:28 PM
CNPTTINC0000138500322020-08-07 5:34:42 PM
CNPYUINC0000138500322020-08-07 5:34:41 PM

 

 expected output: 

nodelabel Incident_Number Status Time

CASCOINC000013850038UP2020-08-07 5:45:28 PM
CNPTTINC000013850032 2020-08-07 5:34:42 PM
CNPYUINC000013850032UP2020-08-07 5:34:41 PM

 

I used join inner command but it failed. please help me in the join function. here nodelabel should be the common factor.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-07-2020 05:35 AM

Hi @jerinvarghese,

you could use the join command

index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" 
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| table nodelabel Status Time 
| join nodelabel [ search 
     index=itsm sourcetype=remedy_midtier
     | rename _time as Time
     | fieldformat Time=strftime(Time,"%Y-%m-%d %l:%M:%S %p")
     | table nodelabel Incident_Number Time 
     ]
| table table nodelabel Incident_Number Status Time

but I don't like because  it's very slow and there's the limit of 50,000 results in subsearch.

So I hint to explore a different approach using the stats command:

(index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown") OR (index=itsm sourcetype=remedy_midtier) 
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time values(Incident_Number) AS Incident_Number latest(Status) as Status by nodelabel
| table table nodelabel Incident_Number Status Time

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-07-2020 05:35 AM

Hi @jerinvarghese,

you could use the join command

index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" 
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| table nodelabel Status Time 
| join nodelabel [ search 
     index=itsm sourcetype=remedy_midtier
     | rename _time as Time
     | fieldformat Time=strftime(Time,"%Y-%m-%d %l:%M:%S %p")
     | table nodelabel Incident_Number Time 
     ]
| table table nodelabel Incident_Number Status Time

but I don't like because  it's very slow and there's the limit of 50,000 results in subsearch.

So I hint to explore a different approach using the stats command:

(index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown") OR (index=itsm sourcetype=remedy_midtier) 
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time values(Incident_Number) AS Incident_Number latest(Status) as Status by nodelabel
| table table nodelabel Incident_Number Status Time

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jerinvarghese
Communicator
‎08-07-2020 06:15 AM

Hi @gcusello 

thanks for the reply, i got the output, but there is a problem, output ignores all those values which doesn't have Incidnet_number.

I need those nodelabel as well with blank value for Incident_number. 

please help in that

i used below command, hope this is right method.

| join type=outer nodelabel 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-07-2020 08:05 AM

Hi @jerinvarghese,

as I said, I don't like join so I prefer the second solution that I hint to explore and use:

you are using a DB approach, but Splunk isn't a DB!

About your problem, did you tried to invert the two searches?

Ciao.

Giuseppe

P.s.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...