Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Join two searches by different field names

akhanVG
Path Finder
‎04-24-2015 10:17 AM

I have a search I'm running which now works fine

index="ecom" eventName=pageLoad | regex referrer="^http://www.example.com/these-files/*" | rex field=referrer "(?.*?)\?" | rex field=new_referrer mode=sed "s/^http:\/\/www.example.com/ /g" | stats count as clicksOut by new_referrer | rename new_referrer as currentPage

This gets me results such as
currentPage - clicksOut
/these-files/abc - 4
/these-files/def - 5

etc.

I am now trying to join a separate search based on the currentPage field

| join currentPage [search index="ecom" eventName=pageLoad | stats count as pageViews by currentPage]

If I run this search I get back a variety of results (as should be)
/ - 100
/these-files - 400
/these-files/abc - 10
/these-files/def - 5

Ideally when the join occurs I'd have a list of all clicksOut and pageViews
currentPage - clicksOut - pageViews
/these-files/abc - 4 - 10
/these-files/def - 5 - 5

When I run the full search below I get no results though - any ideas?

index="ecom" eventName=pageLoad | regex referrer="^http://www.example.com/these-files/*" | rex field=referrer "(?.*?)\?" | rex field=new_referrer mode=sed "s/^http:\/\/www.example.com/ /g" | stats count as clicksOut by new_referrer | rename new_referrer as currentPage | join currentPage [search index="ecom" eventName=pageLoad | stats count as pageViews by currentPage]

Tags (1)
0 Karma
Reply

masonmorales
Influencer
‎04-24-2015 11:54 AM

If this works for you, please click "Accept Answer"...

index="ecom" eventName=pageLoad 
| regex referrer="^http://www.example.com/these-files/*" 
| rex field=referrer "(?.*?)?" 
| rex field=new_referrer mode=sed "s/^http://www.example.com/ /g"
| stats count as pageViews, count(eval(new_referrer="*")) as clicksOut by currentPage
| fillnull value=0 pageViews clicksOut
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-24-2015 10:56 AM

Your subsearches don't have a currentPage field - they have pageviews. That aside, I think you'd have better results with the appendcols command.

index="ecom" eventName=pageLoad | regex referrer="^http://www.example.com/these-files/*" | rex field=referrer "(?.*?)?" | rex field=new_referrer mode=sed "s/^http://www.example.com/ /g" | stats count as clicksOut by new_referrer | rename new_referrer as currentPage | appendcols [search index="ecom" eventName=pageLoad | stats count as pageViews by currentPage]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

akhanVG
Path Finder
‎04-24-2015 11:07 AM

No dice - I tried this but the clicksOut always comes up as blank.

0 Karma
Reply

dolivasoh
Contributor
‎04-24-2015 10:52 AM

You shouldn't need to do the same join twice here and you can use join type=left to still get your original result set even if noting matched. Try removing the last join and change the first one to join type=left and let us all know the results. It may be that the joined result set has no matches or doesn't exist.

Reply

akhanVG
Path Finder
‎04-24-2015 10:56 AM

Oh shoot that was a mistake in formatting there is only one join but I'll see if left works

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...