Splunk Search
Highlighted

Left Join search with lookup over inputlookup

Path Finder

Ciao , I'm trying to solve the following problem.
I've a main search like this

index=major static
| fields _time, id
inc, startinc, endinc, duration, namecust, nameitbs, nameitsc, nameits, levelinc, asset, CI
| dedup id
inc
that give me a list of incident.

I need to append to this search, for each Application Code (CI) , the required availability.
The information can be piped from the following subsearch, based on inputlookup and lookup commands:

| inputlookup append=t DOMServiceCatalogueLookup
| rename ApplicationID as CI
| lookup AMAP
ReqAvailability Cluster_Availability as PrimaryWindows OUTPUTNEW ReqWeeklyAvailability as ReqWeeklyAvailability
| stats max(ReqWeeklyAvailability) as MaxAva by CI

I'm trying to connect the two searches through the following line of command:

main search
| join type=left CI
[subsearch]

but it's not working, I finally got maxAva column empty while printing the results...
any help?

Tks in advance,
Carmine

0 Karma
Highlighted

Re: Left Join search with lookup over inputlookup

When you run the main search and the intended subsearch, they both return results as expected, right? And does the capitalization of the CI fields match? Is there any chance that intended subsearch is timing out?

0 Karma
Highlighted

Re: Left Join search with lookup over inputlookup

Path Finder

Ciao,
if i ran separately the searches they both provide results.
Capitalization is fine (CI is a 3 letter full capital code), as far as in a separate trial i just lookup DOMServiceCatalogueLookup to retrieve "ClusterAvailability" fields and it worked as expected...

0 Karma
Highlighted

Re: Left Join search with lookup over inputlookup

Hmm...Can you share an event from the primary search and an event from the subsearch that you would expect to be joined? The best way to share these would be to use the code button 101010 to preserve formatting. Maybe if we can see a few events that should be joined, we can see if there is anything obvious that would prevent the two from being joined.

0 Karma
Highlighted

Re: Left Join search with lookup over inputlookup

Path Finder

I solved the problem changing the content of the subsearch.
I replace the previous commands with the following set of istructions:

| join type=left CI
[ search index=oromajorstatic
| fields CI
| lookup DOMServiceCatalogueLookup ApplicationID as CI OUTPUTNEW PrimaryWindows as PrimaryWindows
| lookup AMAP
ReqAvailability Cluster_Availability as PrimaryWindows OUTPUTNEW ReqWeeklyAvailability as ReqWeeklyAvailability
| mvexpand PrimaryWindows
| stats max(ReqWeeklyAvailability) as maxAva by CI]

now it works 🙂

View solution in original post

0 Karma
Highlighted

Re: Left Join search with lookup over inputlookup

Great! Glad you got it solved. It's best if you accept your answer so it shows the question as solved. 🙂

0 Karma