Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Join issue

v11n
New Member
‎12-22-2021 12:03 PM

I want to join two source types ST1(has fields id,title) and ST2(no fields only _raw="xid https://www.example.com?q1=test1&q2=test2") . I have tried via join it is working but due to sub search row constraint, I  am getting wrong result. I have tried without join(sourcetype="ST1" OR sourcetype="ST2" approach), I am getting incorrect result.

sourcetype="ST1" (id,title are fields here)

id=1 title=one
id=2 title=two
 id=3 title=three


sourcetype="ST2"

_raw
1 "GET https://www.example.com?q1=one"
2 "GET https://www.example.com?q1=test&q2=test2"
 3 "GET https://www.example.com?q3=thr"


I want to join these source types and get the below output(grab the url params alone in source type ST2). Can you please help me on this?

idtitleparams
1oneq1=one
2twoq1=test&q2=test2
3threeq3=thr
Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎12-22-2021 01:43 PM

You need to grab the fields from your ST2 data row with rex, e.g. try this example

| makeresults
| eval x=split("id=1 title=one,id=2 title=two,id=3 title=three", ",")
| mvexpand x
| eval _raw=x
| extract
| table id title _raw
| append [
  | makeresults
  | eval _raw="1 \"GET https://www.example.com?q1=one\"
2 \"GET https://www.example.com?q1=test&q2=test2\"
3 \"GET https://www.example.com?q3=thr\""
  | multikv noheader=t 
  | table _raw
]
| rex field=_raw "^(?<id>\d+).*\?(?<params>.*)"
| stats values(*) as * by id
| table id title params

 Note that the rex statement must only grab the id and params from the ST2 sourcetypes, so this relies on _raw from ST1 NOT matching the rex pattern, so that id from the ST1 is not overwritten by an extraction.

 

0 Karma
Reply

johnhuang
Motivator
‎12-22-2021 01:30 PM

Use stats and combine the searches whenever possible since its much more efficient.

Here's a possible way to skinning it:

(sourcetype="ST1" OR sourcetype="ST2")
| fields _time id title _raw
| rex field=_raw "^(?<event_id>\d+)\s\"(?<event_type>[^\s]*)\s(?<base_url>[^\?]*)(\?(?<params>[^\"]*))?"
| eval id=COALESCE(id, event_id)
| stats values(event_id) AS event_id values(base_url) AS base_url values(params) AS params max(title) AS title values(event_type) AS event_type max(_time) AS _time by id
| table _time id title event_type base_url params

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...