Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Left join - find missing data from second index

mattiasrs
Explorer
‎02-05-2021 03:38 AM

Hello, I am quite new to Splunk and this is my first post. Hoping that I can get some help from this awesome community.

I have two systems, System A and System B. System A receives customer information which is then sent to System B . The data in both systems have the exact same fields and a unique Customer ID with the same name in both systems.

I want to create a dashboard where I can select a time period and see only problematic customers that only exist in System A, meaning they haven't been sent to System B for some reason.

This is my search to see all the data:

index=systemA OR index=systemB

| fields customer_ID, systemA_Timestamp, systemB_Timestamp

| stats values(*) as * by customer_ID

| table customer_ID, systemA_Timestamp, systemB_Timestamp

 

So to summarize, I want to see customer_IDs that only exist in System A. I am not sure which function to use here. I have been experimenting with isnull(systemB_Timestamp) with no success. Join is not an option as the limit of 50 000 might be a problem.

 

Would be very grateful for any help!

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2021 01:28 AM

Try something like this

index=systemA OR index=systemB
| fields customer_ID, systemA_Timestamp, systemB_Timestamp
| stats values(*) as * by customer_ID
| fillnull value="NotPresent" systemB_Timestamp
| where systemB_Timestamp="NotPresent"
| table customer_ID, systemA_Timestamp, systemB_Timestamp

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2021 01:28 AM

Try something like this

index=systemA OR index=systemB
| fields customer_ID, systemA_Timestamp, systemB_Timestamp
| stats values(*) as * by customer_ID
| fillnull value="NotPresent" systemB_Timestamp
| where systemB_Timestamp="NotPresent"
| table customer_ID, systemA_Timestamp, systemB_Timestamp
Reply
Solved! Jump to solution

mattiasrs
Explorer
‎02-08-2021 03:38 AM

Thank you!

With this I am able to achieve what I want.

Do you know if this is best practice?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2021 03:45 AM

I guess that might depend on what your actual data looks like and what your criteria for determining "best" is. Using stats is usually better than join, fillnull should be reasonably inexpensive as it can be done in-stream / in parallel, same goes for the where clause.

Reply
Solved! Jump to solution

mattiasrs
Explorer
‎02-08-2021 03:47 AM

Many thanks!

0 Karma
Reply
Solved! Jump to solution

saravanan90
Contributor
‎02-05-2021 09:06 AM

Please check if the below query works.

index=systemA  NOT [search index=systemB | stats count by customer_ID | table customer_ID

0 Karma
Reply
Solved! Jump to solution

mattiasrs
Explorer
‎02-08-2021 01:14 AM

Hello,

No this returns only the raw events, not in a table format.

I tried moving |table outside the [ ] but this returns data that exist in both indexes, just not showing the data from index B.

0 Karma
Reply
Solved! Jump to solution

saravanan90
Contributor
‎02-08-2021 03:36 AM

Hello,

Is the table command outside gives still raw events of both the index.

index=systemA NOT [search index=systemB | stats count by customer_ID | table customer_ID] | table customer_ID, systemA_Timestamp

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...