Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Outer Join not working

robertlynch2020
Influencer
‎02-05-2020 10:28 AM

I have data in a CSV called 25_million_Linie_Rule.csv (example below)

host,source,count
"INTERFACES_BUILD","/hp547srv1/apps/INTERFACES_BUILD/logs/traces/mxtiming_956675_hp547srv.fr.murex.com_**1254**.log",31436700

I also have data in real time.
If the data in rela time is the same as the .csv i don'twant to report it . So an outer join is needed, but i cant get it to work.

| tstats count where index="mlc_live" OR index="mxtiming_live" by host source 
| dedup source 
| sort 0 - count 
| head 10 
| where count > 25000000 
| table host source count 
| join type=outer source  
    [| inputlookup 25_million_Linie_Rule.csv  ]

OUTPUT is below (However i get a line i already have in the csv, i should only get one line, the new line not the one i have in the .csv )

host    source  count
INTERFACES_BUILD    /hp547srv1/apps/INTERFACES_BUILD/logs/traces/mxtiming_956675_hp547srv.fr.murex.com_**1254**.log 31436700
INTERFACES_BUILD    /hp547srv1/apps/INTERFACES_BUILD/logs/traces/mxtiming_956678_hp547srv.fr.murex.com_**1992**.log 26617140

Any help would be great
Rob

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-05-2020 12:47 PM 
 | tstats count where index="mlc_live" OR index="mxtiming_live" by host source 
 | dedup source 
 | sort 0 - count 
 | head 10 
 | where count > 25000000 
 | table host source count 
 | join type=outer source  
     [| inputlookup 25_million_Linie_Rule.csv 
       | eval  csv=1]
 | where isnull(csv)
 | table host source count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-05-2020 12:47 PM 
 | tstats count where index="mlc_live" OR index="mxtiming_live" by host source 
 | dedup source 
 | sort 0 - count 
 | head 10 
 | where count > 25000000 
 | table host source count 
 | join type=outer source  
     [| inputlookup 25_million_Linie_Rule.csv 
       | eval  csv=1]
 | where isnull(csv)
 | table host source count
0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Influencer
‎02-10-2020 02:35 AM

Brill - thanks 🙂

0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Influencer
‎02-06-2020 10:06 AM

Thanks for the replay,

but i get

Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-06-2020 03:28 PM

sorry, @robertlynch2020
I forgot to erase it. my answer is updated.

0 Karma
Reply
Solved! Jump to solution

13tsavage
Communicator
‎02-05-2020 12:08 PM

I think the join is working as intended. Because the same event that lives in your 25_million_Linie_Rule.csv also would be found in your real-time main search. Doing the join should not remove events found in your main search that match those events in your 25_million_Linie_Rule.csv as I think you want.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...