Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Outer Join not working

robertlynch2020
Influencer
‎02-05-2020 10:28 AM

I have data in a CSV called 25_million_Linie_Rule.csv (example below)

host,source,count
"INTERFACES_BUILD","/hp547srv1/apps/INTERFACES_BUILD/logs/traces/mxtiming_956675_hp547srv.fr.murex.com_**1254**.log",31436700

I also have data in real time.
If the data in rela time is the same as the .csv i don'twant to report it . So an outer join is needed, but i cant get it to work.

| tstats count where index="mlc_live" OR index="mxtiming_live" by host source 
| dedup source 
| sort 0 - count 
| head 10 
| where count > 25000000 
| table host source count 
| join type=outer source  
    [| inputlookup 25_million_Linie_Rule.csv  ]

OUTPUT is below (However i get a line i already have in the csv, i should only get one line, the new line not the one i have in the .csv )

host    source  count
INTERFACES_BUILD    /hp547srv1/apps/INTERFACES_BUILD/logs/traces/mxtiming_956675_hp547srv.fr.murex.com_**1254**.log 31436700
INTERFACES_BUILD    /hp547srv1/apps/INTERFACES_BUILD/logs/traces/mxtiming_956678_hp547srv.fr.murex.com_**1992**.log 26617140

Any help would be great
Rob

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-05-2020 12:47 PM 
 | tstats count where index="mlc_live" OR index="mxtiming_live" by host source 
 | dedup source 
 | sort 0 - count 
 | head 10 
 | where count > 25000000 
 | table host source count 
 | join type=outer source  
     [| inputlookup 25_million_Linie_Rule.csv 
       | eval  csv=1]
 | where isnull(csv)
 | table host source count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-05-2020 12:47 PM 
 | tstats count where index="mlc_live" OR index="mxtiming_live" by host source 
 | dedup source 
 | sort 0 - count 
 | head 10 
 | where count > 25000000 
 | table host source count 
 | join type=outer source  
     [| inputlookup 25_million_Linie_Rule.csv 
       | eval  csv=1]
 | where isnull(csv)
 | table host source count
0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Influencer
‎02-10-2020 02:35 AM

Brill - thanks 🙂

0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Influencer
‎02-06-2020 10:06 AM

Thanks for the replay,

but i get

Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-06-2020 03:28 PM

sorry, @robertlynch2020
I forgot to erase it. my answer is updated.

0 Karma
Reply
Solved! Jump to solution

13tsavage
Communicator
‎02-05-2020 12:08 PM

I think the join is working as intended. Because the same event that lives in your 25_million_Linie_Rule.csv also would be found in your real-time main search. Doing the join should not remove events found in your main search that match those events in your 25_million_Linie_Rule.csv as I think you want.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...