Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Joining fields from 2 indexes- Why am I showing 0 results found?

neerajs_81
Builder
‎10-17-2022 04:10 AM

Hi All,  Before i post here i have tried everything under https://community.splunk.com/t5/Splunk-Search/How-to-join-2-indexes/m-p/560334  but couldnt figure out my search. 

Index01 contains  fields of interest as follows : 
host, hostname, agent_version,agent_date

The difference between host & hostname fields is host contains  name of HF server (which i dont want to correlate)  while hostname contains the list of device names  (which i want to correlate with Index02). 

In Index02., the fields of interest are: 
host (default field), _time (default field)

 To summarize, the field hostname from Index01 matches the values of the field host from Index02 . So this is the common denominator.

Requirement is for all the devices from index01,  find  out the latest time stamp (as in when the device last logged) from Index02.    Below is what i need to achieve:

hostname(Index01) agent_date (Index01) agent_version (Index01) LastSeen (Index02)
xxx xxx xxx xxxx
       


Have tried below 2 queries but no luck.   It shows 0 results found.  But if i run the search individually they show data.

 

 

index=index01
| rex field=dns "(?P<hostname>[a-zA-Z0-9-]+)."
| dedup hostname 
[ search index=Index02
 | stats latest(_time) as lastSeen_epoch  BY host
 | eval LastSeen=strftime(lastSeen_epoch,"%m/%d/%y %H:%M:%S")
 | fields host LastSeen ]
| table hostname agent_date agent_version LastSeen

OR  

index=index01 
[ search index=Index02
 | stats latest(_time) as lastSeen_epoch  BY host
 | eval LastSeen=strftime(lastSeen_epoch,"%m/%d/%y %H:%M:%S")
 | fields host LastSeen ]
| rex field=dns "(?P<hostname>[a-zA-Z0-9-]+)."
| dedup hostname 
| table hostname agent_date agent_version LastSeen

 

 

 

 

 




Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-17-2022 04:46 AM

Hi @neerajs_81,

please try something like this:

index=indexA OR index=indexB
| eval 
   hostname=if(index=indexA,hostname,host), 
   LastSeen=if(index=indexB,_time,"") 
| stats values(agent_date) AS agent_date values(agent_version) AS agent_version latest(LastSeen) AS LastSeen BY hostname
| eval LastSeen=strftime(LastSeen,"%Y-%m-%d %H:%M:%S")

Ciao.

Giuseppe

Reply

neerajs_81
Builder
‎10-17-2022 05:16 AM

No luck.  It shows 0 results.  I had to customize  your search as follows:  We need to compare against a lookup file too which has a column called host

 

(index=IndexA sourcetype=xx os_version IN ("Windows")) OR (index=IndexB)
| rex field=dns "(?P<hostname>[a-zA-Z0-9-]+)."
| search [inputlookup lookup_file.csv | rename host as hostname | fields hostname]
| eval LastSeen=if(index=IndexB,_time,"") 
| stats values(agent_version) values(agent_date) latest(LastSeen) AS LastSeen BY hostname
| eval LastSeen=strftime(LastSeen,"%Y-%m-%d %H:%M:%S")

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-17-2022 05:39 AM

An empty string "" is still a value - use null() to discount the events which are not from IndexB

(index=IndexA sourcetype=xx os_version IN ("Windows")) OR (index=IndexB)
| rex field=dns "(?P<hostname>[a-zA-Z0-9-]+)."
| search [inputlookup lookup_file.csv | rename host as hostname | fields hostname]
| eval LastSeen=if(index=IndexB,_time,null()) 
| stats values(agent_version) values(agent_date) latest(LastSeen) AS LastSeen BY hostname
| eval LastSeen=strftime(LastSeen,"%Y-%m-%d %H:%M:%S")
Reply

neerajs_81
Builder
‎10-17-2022 05:59 AM

Hi So whats happening now, is it is showing the values of the fields from IndexA only.  The LastSeen column (that comes from IndexB) is empty .  Earlier with my 2 queries it was showing 0 results.

hostnameagent_versionagent_dateLastSeen
xxxxxxxxxxx 
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-17-2022 06:42 AM

Try with quotes around the string constants

(index="IndexA" sourcetype=xx os_version IN ("Windows")) OR (index="IndexB")
| rex field=dns "(?P<hostname>[a-zA-Z0-9-]+)."
| search [inputlookup lookup_file.csv | rename host as hostname | fields hostname]
| eval LastSeen=if(index="IndexB",_time,null()) 
| stats values(agent_version) values(agent_date) latest(LastSeen) AS LastSeen BY hostname
| eval LastSeen=strftime(LastSeen,"%Y-%m-%d %H:%M:%S")
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...