Solved: Search without join for multiple index

vikashperiwal · ‎10-31-2019

Hi,

I have a requirement where I have 2 Index, I want to display the raw data, Below is the query I tried but I am not able to show complete data.

Fields A B C D E F G H I J L M P Q R S T U V W X Y Z A1 A2 A3 A4 A5 are not seen in a table from index= abc, guide me if there is some wrong with my approach

( index=abc sourcetype=ISUP_EVENT_ACCESS_VW earliest=-8h@h latest=-4h@h ) OR (index=csvlookups source="*SWITCH*") 
| fields - _raw 
| eval N=coalesce(N,OPC) 
| eval O=coalesce(O,DPC) 
| eval K=coalesce(K,CIC) 
| search N=* AND O=* AND K=* 
| eventstats values(OPC) as OPC values(DPC) as DPC values(CLLI) as CLLI values(ADMININF) as ADMININF values(ADNUM) as ADNUM values(TRKGRSIZ) as TRKGRSIZ values(NETNAME) as NETNAME values(SWITCH) as SWITCH values(MEMNAME) as MEMNAME values(RTESET) as RTESET values(CIC) as CIC by N O K 
| eval Call="Outbound" 
| fields **A B C D E F G H I J L M P Q R S T U V W X Y Z A1 A2 A3 A4 A5** N OPC O DPC K CIC CLLI ADMININF ADNUM TRKGRSIZ NETNAME SWITCH MEMNAME RTESET Call 
| table **A B C D E F G H I J L M P Q R S T U V W X Y Z** A1 A2 A3 A4 A5 N OPC O DPC K CIC CLLI ADMININF ADNUM TRKGRSIZ NETNAME SWITCH MEMNAME RTESET Call 
| search OPC=* AND DPC=* 
| rename K as "TCIC" N as "Originating_Point_Code" O as "Destination_Point_Code"

gcusello · ‎10-31-2019

Hi vikashperiwal,
why do you used fields - _raw?
in this way you haven't che content of event's any more!

Ciao.
Giuseppe

View solution in original post

vharshit · ‎11-06-2019

When we run the query in fast mode for different time ranges(say Last 24 hours, All Time), it returns different results everytime. Is it some bug?

gcusello · ‎10-31-2019

Hi vikashperiwal,
why do you used fields - _raw?
in this way you haven't che content of event's any more!

Ciao.
Giuseppe

vikashperiwal · ‎10-31-2019

the only reason i included fields - _raw is because my query is getting auto finalize because of large number of events

vikashperiwal · ‎10-31-2019

even after removing fields - _raw and kepping earliest-1 hr , i am having same issue ...not able to show fields A B C D E F G H I J L M P Q R S T U V W X Y Z A1 A2 A3 A4 A5 along with other fields

gcusello · ‎11-01-2019

Hi vikashperiwal,,
at first which Mode are you using? try with Verbose.

If you simplify your search in this way you still haven't fields?

(index=abc sourcetype=ISUP_EVENT_ACCESS_VW earliest=-8h@h latest=-4h@h) OR (index=csvlookups source="*SWITCH*") 
| eval N=coalesce(N,OPC), O=coalesce(O,DPC), K=coalesce(K,CIC) 
| search N=* O=* K=* 
| eventstats values(OPC) as OPC values(DPC) as DPC values(CLLI) as CLLI values(ADMININF) as ADMININF values(ADNUM) as ADNUM values(TRKGRSIZ) as TRKGRSIZ values(NETNAME) as NETNAME values(SWITCH) as SWITCH values(MEMNAME) as MEMNAME values(RTESET) as RTESET values(CIC) as CIC by N O K 
| eval Call="Outbound" 
| table A B C D E F G H I J L M P Q R S T U V W X Y Z A1 A2 A3 A4 A5 N OPC O DPC K CIC CLLI ADMININF ADNUM TRKGRSIZ NETNAME SWITCH MEMNAME RTESET Call 
 | search OPC=* DPC=* 
 | rename K as "TCIC" N as "Originating_Point_Code" O as "Destination_Point_Code"

Ciao.
Giuseppe

vikashperiwal · ‎11-01-2019

Thanks for your time and effort .. Its really appreciated

This is query is working for me now.... will ask the user to validate the data.

Search without join for multiple index

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?