Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Performing a left join to add results that don't match current timeline

greggz
Communicator
‎12-29-2017 02:20 AM

So I want to output events from different servers. If I don't find a server with a event in the given time, I must perform a search 6months backwards and get the last event matched in that time if he exists. This is how I was trying to mimic this behaviour

index=mock_index host=* source="server.cnf" | join type=left host [search index=mock_index host=* source="server.cnf" earliest=-6mon] | table watt* host | transpose column_name=Property header_field=host 50

I was doing a left join cause it made sense to me. If there are results already in the main search don't overwrite them and Add the remaining results that found no match in the main search.

So was I going down the write path ? I'm finding no values with this query

0 Karma
Reply

cmerriman
Super Champion
‎12-29-2017 04:32 AM

What is the time frame of the base search?

If I understand what you’re trying to do, try something like this:

index=mock_index host=* source="server.cnf" |table watt* host | append [search index=mock_index host=* source="server.cnf" earliest=-6mon|table watt* host ] | stats values(*) as * by host| transpose column_name=Property header_field=host 50

The append will add all the results to the bottom of the dataset is the base search and then use stats to join them together on host. You could use latest or other commands instead of values. This is just to give you another idea to accomplish what I think you’re going after. It should give you all results not in the base search as well as in the base search.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...