Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk - join two search queries having common field

Nidheesh
Explorer
‎09-15-2017 12:22 AM

Hi,

I need to join two splunk search queries based on a common field (JoinId).

All I would like to have at the output is to return how many values of that particular common field is mapped from both queries and how many are unmapped from query2.

Can someone help me with this?

query1:

index="source1" "layer-monitor" ServiceEvent "debug"| search NOT ErrorMessage=* | stats count(JoinId) as "Total success"

query2:

index="source2" sourcetype="sourceData" "Message=Log Message invoked" JoinId

I would like to know how many JoinId fields of query2 are unmapped with respect to query1 JoinId

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎09-15-2017 04:34 AM

maybe something like this:

(index="source1" "layer-monitor" ServiceEvent "debug" NOT ErrorMessage=*) OR (index="source2" sourcetype="sourceData" "Message=Log Message invoked" JoinId)|eval source1JoinId=if(index="source1",JoinId,null())|eval source2JoinId=if(index="source2",JoinId,null())|stats count(source1JoinId) as s1JoinId count(source2JoinId) as s2JoinId by JoinId|eval unmappedSource2=if(s2JoinId=0 AND s1JoinId>0,1,0)|stats sum(unmappedSource2) as unmappedSource2

that should give you how many JoinIds in source2 are not in source1. You can break the syntax apart pipe by pipe to double check it's working properly

View solution in original post

Reply
Solved! Jump to solution

lfedak_splunk
Splunk Employee
Splunk Employee
‎09-15-2017 02:50 PM

Hey @Nidheesh, if either of these solutions work for you, please remember to "Accept" the answer. You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-15-2017 04:37 AM

Hi Nidheesh,
Try something like this

index="source2" sourcetype="sourceData" "Message=Log Message invoked"  NOT [ search index=source1 "layer-monitor" ServiceEvent debug NOT ErrorMessage=* | dedup JoinId | fields JoinId ]
| dedup JoinId
| table JoinId

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎09-15-2017 04:34 AM

maybe something like this:

(index="source1" "layer-monitor" ServiceEvent "debug" NOT ErrorMessage=*) OR (index="source2" sourcetype="sourceData" "Message=Log Message invoked" JoinId)|eval source1JoinId=if(index="source1",JoinId,null())|eval source2JoinId=if(index="source2",JoinId,null())|stats count(source1JoinId) as s1JoinId count(source2JoinId) as s2JoinId by JoinId|eval unmappedSource2=if(s2JoinId=0 AND s1JoinId>0,1,0)|stats sum(unmappedSource2) as unmappedSource2

that should give you how many JoinIds in source2 are not in source1. You can break the syntax apart pipe by pipe to double check it's working properly

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...