Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Performing a left join to add results that don't match current timeline

greggz
Communicator
‎12-29-2017 02:20 AM

So I want to output events from different servers. If I don't find a server with a event in the given time, I must perform a search 6months backwards and get the last event matched in that time if he exists. This is how I was trying to mimic this behaviour

index=mock_index host=* source="server.cnf" | join type=left host [search index=mock_index host=* source="server.cnf" earliest=-6mon] | table watt* host | transpose column_name=Property header_field=host 50

I was doing a left join cause it made sense to me. If there are results already in the main search don't overwrite them and Add the remaining results that found no match in the main search.

So was I going down the write path ? I'm finding no values with this query

0 Karma
Reply

cmerriman
Super Champion
‎12-29-2017 04:32 AM

What is the time frame of the base search?

If I understand what you’re trying to do, try something like this:

index=mock_index host=* source="server.cnf" |table watt* host | append [search index=mock_index host=* source="server.cnf" earliest=-6mon|table watt* host ] | stats values(*) as * by host| transpose column_name=Property header_field=host 50

The append will add all the results to the bottom of the dataset is the base search and then use stats to join them together on host. You could use latest or other commands instead of values. This is just to give you another idea to accomplish what I think you’re going after. It should give you all results not in the base search as well as in the base search.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...