Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Outer Join not working

robertlynch2020
Influencer
‎02-05-2020 10:28 AM

I have data in a CSV called 25_million_Linie_Rule.csv (example below)

host,source,count
"INTERFACES_BUILD","/hp547srv1/apps/INTERFACES_BUILD/logs/traces/mxtiming_956675_hp547srv.fr.murex.com_**1254**.log",31436700

I also have data in real time.
If the data in rela time is the same as the .csv i don'twant to report it . So an outer join is needed, but i cant get it to work.

| tstats count where index="mlc_live" OR index="mxtiming_live" by host source 
| dedup source 
| sort 0 - count 
| head 10 
| where count > 25000000 
| table host source count 
| join type=outer source  
    [| inputlookup 25_million_Linie_Rule.csv  ]

OUTPUT is below (However i get a line i already have in the csv, i should only get one line, the new line not the one i have in the .csv )

host    source  count
INTERFACES_BUILD    /hp547srv1/apps/INTERFACES_BUILD/logs/traces/mxtiming_956675_hp547srv.fr.murex.com_**1254**.log 31436700
INTERFACES_BUILD    /hp547srv1/apps/INTERFACES_BUILD/logs/traces/mxtiming_956678_hp547srv.fr.murex.com_**1992**.log 26617140

Any help would be great
Rob

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-05-2020 12:47 PM 
 | tstats count where index="mlc_live" OR index="mxtiming_live" by host source 
 | dedup source 
 | sort 0 - count 
 | head 10 
 | where count > 25000000 
 | table host source count 
 | join type=outer source  
     [| inputlookup 25_million_Linie_Rule.csv 
       | eval  csv=1]
 | where isnull(csv)
 | table host source count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-05-2020 12:47 PM 
 | tstats count where index="mlc_live" OR index="mxtiming_live" by host source 
 | dedup source 
 | sort 0 - count 
 | head 10 
 | where count > 25000000 
 | table host source count 
 | join type=outer source  
     [| inputlookup 25_million_Linie_Rule.csv 
       | eval  csv=1]
 | where isnull(csv)
 | table host source count
0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Influencer
‎02-10-2020 02:35 AM

Brill - thanks 🙂

0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Influencer
‎02-06-2020 10:06 AM

Thanks for the replay,

but i get

Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-06-2020 03:28 PM

sorry, @robertlynch2020
I forgot to erase it. my answer is updated.

0 Karma
Reply
Solved! Jump to solution

13tsavage
Communicator
‎02-05-2020 12:08 PM

I think the join is working as intended. Because the same event that lives in your 25_million_Linie_Rule.csv also would be found in your real-time main search. Doing the join should not remove events found in your main search that match those events in your 25_million_Linie_Rule.csv as I think you want.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...