Re: Performing a left join to add results that don...

greggz · ‎12-29-2017

So I want to output events from different servers. If I don't find a server with a event in the given time, I must perform a search 6months backwards and get the last event matched in that time if he exists. This is how I was trying to mimic this behaviour

index=mock_index host=* source="server.cnf" | join type=left host [search index=mock_index host=* source="server.cnf" earliest=-6mon] | table watt* host | transpose column_name=Property header_field=host 50

I was doing a left join cause it made sense to me. If there are results already in the main search don't overwrite them and Add the remaining results that found no match in the main search.

So was I going down the write path ? I'm finding no values with this query

cmerriman · ‎12-29-2017

What is the time frame of the base search?

If I understand what you’re trying to do, try something like this:

index=mock_index host=* source="server.cnf" |table watt* host | append [search index=mock_index host=* source="server.cnf" earliest=-6mon|table watt* host ] | stats values(*) as * by host| transpose column_name=Property header_field=host 50

The append will add all the results to the bottom of the dataset is the base search and then use stats to join them together on host. You could use latest or other commands instead of values. This is just to give you another idea to accomplish what I think you’re going after. It should give you all results not in the base search as well as in the base search.

Performing a left join to add results that don't match current timeline

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases