Re: Two Queries That Return Results Do not Return ...

ryanmcdermott12 · ‎07-31-2019

I have written two individual queries that both return the expected results.
A.
tag=tag name
location="location name"
message="error message"
status=400
| rex field=raw "string from log (?\w+[@]\S+)@string from log"
| rex field=_raw "(?\w+)]"

B.
tag=tag name
"string from log"
"\"status\":400"
"string from log"
| rex field=field name "_(?\w+)"

However, when I join the two queries, no results are returned.
C.
tag=tag name
location="location name"
message="error message"
status=400
| rex field=raw "string from log (?\w+[@]\S+)@string from log"
| rex field=_raw "(?\w+)]"
| join type=inner login_dye
[search
tag=tag name
"string from log"
"\"status\":400"
"string from log"
| rex field=field name "_(?\w+)"
| eval Date=strftime(_time, "%m-%d-%y")]
| eval user_email="'".user_email."',"
| dedup Date, user_email
| table Date, user_email

The main search returns a large number of results. However, the sub-search returns a relatively small number of results, so the sub-search should not be timing out. I also get no messages indicating such, and no other errors or messages.

gcusello · ‎07-31-2019

Hi ryanmcdermott1208,
at first check if there are common values in both the searches fir the field login_die.
then try to tranform in uppercase (o lowercase) both the login_die fields and retry.
at least check if the number of results of the subsearch is greater than 50,000, because there's this limit in subsearches.

Anyway, join isn't a performant command, try something different: use stats count.
I could help you but you should copy your searches using the Code Sample button (the one neat the attach button), because otherwise I cannot correctly read your question.

Bye.
Giuseppe

ryanmcdermott12 · ‎08-01-2019

hank you giuseppe. the main query returns over 50k results, but the sub-query does not. i should have included that the values being extracted for "login_dye" are strictly numerical. the value being extracted from the main query matches the value being extracted from the sub-query.

here is the query in code sample:
tag=tagname
location="location name"
message="error message"
status=400
| rex field=raw "string from log (?\w+[@]\S+)@string from log"
| rex field=raw "(?\w+)]"
| join type=inner login_dye
[search
tag=tag name
"string from log"
"\"status\":400"
"string from log"
| rex field=field name "(?\w+)"
| eval Date=strftime(_time, "%m-%d-%y")]
| eval user_email="'".user_email."',"
| dedup Date, user_email
| table Date, user_email

Sukisen1981 · ‎07-31-2019

you are performing an inner type join, which means you are looking only for common results in both the searches.
if you remove your join field login_dye are you receiving results?

ryanmcdermott12 · ‎08-01-2019

thank you sukisen, but i think removing the join would not return the results i need. i only want the subset of the main query that includes the results from the sub query.

tag=tag name
location="location name"
message="error message"
status=400
| rex field=raw "string from log (?\w+[@]\S+)@string from log"
| rex field=raw "(?\w+)]"
| join type=inner login_dye
[search
tag=tag name 
"string from log"
"\"status\":400"
"string from log"
| rex field=field name "(?\w+)"
| eval Date=strftime(_time, "%m-%d-%y")]
| eval user_email="'".user_email."',"
| dedup Date, user_email
| table Date, user_email

Two Queries That Return Results Do not Return Results After Join

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Two Queries That Return Results Do not Return Results After Join

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability