Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Perform a join where the timeframes are different

swangertyler
Path Finder
‎03-21-2019 12:35 PM

In my data, events can have children. There is data in those events that I would want to associate with the parent event. When I do my base search, sometimes I find events where the parent event is created outside of the global time picker window. The only way I can think to solve this is by I can join a sub-search and have the sub-search be a different time window?
My existing search is as follows:

"base search with sourcetype=A"
| rename display_value as parent_num
|  join type=outer parent_num
[search "second search with sourtype=A"
| dedup number sortby -sys_updated_on
| rename priority as parent_priority, number as parent_num, u_incident_type as type, 
| table parent_num, parent_priority, type, parent_assignment]
| eval type = if(parent!="*", u_incident_type, type)

This works, except when, for example, if I am looking at the past 24 hours, and the "parent" was created before. I am sure there are a number of ways to solve this, but this seems most apparent to me. I don't want to exclude the occasions when I am "missing" the data.

0 Karma
Reply

MuS
Legend
‎03-21-2019 12:54 PM

Hi swangertyler,

Don't use join for reasons.

Use multisearch instead, it will not hit any hidden limits without telling you.

Try something like this:

| multisearch 
    [ search "base search with sourcetype=A" earliest=-1d@d latest=-0d@d 
    | rename display_value as parent_num ] 
    [ search "second search with sourtype=A" earliest=-3d@d latest=-2d@d 
    | rename priority as parent_priority, number as parent_num, u_incident_type as type ] 
| dedup number sortby -sys_updated_on 
| table parent_num, parent_priority, type, parent_assignment 
| eval type = if(parent!="*", u_incident_type, type)

might need some tweaking to make it fully work, but you get an idea how it works.

hope this helps ...

cheers, MuS

0 Karma
Reply

swangertyler
Path Finder
‎03-25-2019 11:16 AM

I could not get this to work satisfactorily. I ended up taking what I wanted as the second search, and using a report to make a csv, then joining on an inputlookup. Curating the search and sending it to a csv should keep me from running into any of those secret limits from joins.

I have yet to figure out how to get multisearch to work as I need it to.

0 Karma
Reply

briancronrath
Contributor
‎03-25-2019 11:39 AM

It will still hit secret limits of the number of rows returned by the csv exceeds whatever your maximum rows a subsearch can return is set to. If you are curating the data to a csv beforehand I'd just use the lookup command since it's already a lookup

0 Karma
Reply

swangertyler
Path Finder
‎03-25-2019 12:11 PM

That is a good idea/point. Do I gain anything else from using a lookup vs. join [|inputlookup etc]?

I do not think in my case that I will hit any limits.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...