Pass field from joined search into primary search ...

gabrieleguidoni · ‎09-30-2021

Hello I would like to pass a value from a joined search (e.g. in this case the "Side") to the final table.

I tried different append approaches with no success.

Also I believe the performances of the below query could potentially be enhanced. It works, but maybe the use of transaction is not perfect.

cs_stage=PROD cs_component_id=TOU TOFF_MARGIN_CALCULATOR
| rex field=_raw "channel name: (?<reqid>.*),"
| transaction reqid
| join reqid [search cs_stage=PROD cs_component_id=TOU rest.ValidateTradingOrderRestAdaptor.validateTradingOrder | rex field=_raw "<transactionType>(?<Side>.*)<\/transactionType>"]
| rex field=_raw "inflight_order_exposure: (?<InflightOrderExposure>\d*\D*\d*)"
| rex field=_raw "open_orders_exposure: (?<OpenOrdersExposure>\d*\D*\d*)"
| rex field=_raw "positions_exposure: (?<PositionExposure>\d*\D*\d*)"
| rex field=_raw "total_potential_exposure: (?<TotalPotentialExposure>\d*\D*\d*)"
| rex field=_raw "limit: (?<Limit>\d*\D*\d*\D*\d*)"
| rex field=_raw "limit_type_value: (?<LimitTypeValue>\S*)"
| rex field=_raw "available_limit: (?<AvailableLimit>\d*\D*\d*\D*\d*)\s*,"
| rex field=_raw "cif_=(?<CIF>.*[0-9]),memoizedIsInitialized"
| rex field=_raw "csfid_=(?<csfiid>.*),shortSale_"
| table reqid _time CIF Side csfiid InflightOrderExposure OpenOrdersExposure PositionExposure TotalPotentialExposure Limit LimitTypeValue AvailableLimit duration

isoutamo · ‎09-30-2021

Hi

maybe this helps you https://community.splunk.com/t5/Splunk-Search/Join-with-subsearch-doesn-t-gives-me-expected-results/... to do this more efficiently?

r. Ismo

Pass field from joined search into primary search table

join

table

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?