Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Join is not correlating and appending field data as expected

JHFRDANALYSIS
Engager
‎09-21-2024 06:33 AM

This is my query that isn't working as expected.  

index=julie sourcetype!="julie:uat:user_activity" host!="julie-uat.home.location.net:8152" application_id=julie1 policy_id=framework action=session_end "error_code"=9999 "*"

| table julie_date_time, event_name, proxy_id, error_code, session_id, device_session_id, result |rename session_id as JulieSessionId

|join type=left device_session_id [search index=julie sourcetype!="julie:uat:user_activity" host!="julie-uat.home.location.net:8152" application_id=julie1 policy_id="FETCH-DAVESESSION-ID"  action=create_ticket |table timeDave, device_session_id,  session_id |rename session_id as DAVESessionID]

Assume Primary Query returns data like following:

julie_date_time event_name proxy _id error_code Juliesession_id device_session_id result
2024-09-20T23:53:53 Login 199877 9999 1a890963 f5318902 pass
2024-09-19T08:20:00 View Profile 734023 9999 92xy9125 81b3e713 pass
2024-09-17T11:23:45 Change Profile 089234 9999 852rs814 142z7x81 pass

 

Requirement:  I want to add the DAVEsession_ID to the above table when the following query returns something like:

timeDave event_name DAVEsession_id device_session_id
2024-09-20T23:53:50 Login 1a890963 f5318902
2024-09-19T08:19:58 View Profile 92xy9125 81b3e713
2024-09-17T11:23:40 Change Profile 852rs814 142z7x81

 

Expected Outcome:

julie_date_time event_name proxy _id error_code Juliesession_id device_session_id result timeDave DAVEsession_id
2024-09-20T23:53:50 Login 199877 9999 1a890963 f5318902 pass 2024-09-20T23:53:50 1a890963
2024-09-19T08:19:58 View Profile 734023 9999 92xy9125 81b3e713 pass 2024-09-19T08:19:58 92xy9125
2024-09-20T23:53:53 Change Profile 089234 9999 852rs814 142z7x81 pass 2024-09-17T11:23:40 852rs814



Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-21-2024 09:16 AM

Try something like this

index=julie sourcetype!="julie:uat:user_activity" host!="julie-uat.home.location.net:8152" application_id=julie1
| eval DAVESessionID=if(policy_id="FETCH-DAVESESSION-ID"  AND action="create_ticket",session_id,null())
| eventstats values(DAVESessionID) as DAVESessionID by device_session_id
| where policy_id="framework" AND action="session_end" AND error_code=9999
0 Karma
Reply

antoniolamonica
SplunkTrust
SplunkTrust
‎09-21-2024 07:58 AM

Check here under "Join datasets on fields that have different names".

You may want to test by assigning aliases to see what populates from which side of the join. 
Furthermore, perform an additional table statement after your join to pull in all of the data and troubleshoot from there.
---
If this reply helps you, Karma would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...