Two Queries That Return Results Do not Return Resu...

ryanmcdermott12 · ‎07-31-2019

I have written two individual queries that both return the expected results.
A.
tag=tag name
location="location name"
message="error message"
status=400
| rex field=raw "string from log (?\w+[@]\S+)@string from log"
| rex field=_raw "(?\w+)]"

B.
tag=tag name
"string from log"
"\"status\":400"
"string from log"
| rex field=field name "_(?\w+)"

However, when I join the two queries, no results are returned.
C.
tag=tag name
location="location name"
message="error message"
status=400
| rex field=raw "string from log (?\w+[@]\S+)@string from log"
| rex field=_raw "(?\w+)]"
| join type=inner login_dye
[search
tag=tag name
"string from log"
"\"status\":400"
"string from log"
| rex field=field name "_(?\w+)"
| eval Date=strftime(_time, "%m-%d-%y")]
| eval user_email="'".user_email."',"
| dedup Date, user_email
| table Date, user_email

The main search returns a large number of results. However, the sub-search returns a relatively small number of results, so the sub-search should not be timing out. I also get no messages indicating such, and no other errors or messages.

gcusello · ‎07-31-2019

Hi ryanmcdermott1208,
at first check if there are common values in both the searches fir the field login_die.
then try to tranform in uppercase (o lowercase) both the login_die fields and retry.
at least check if the number of results of the subsearch is greater than 50,000, because there's this limit in subsearches.

Anyway, join isn't a performant command, try something different: use stats count.
I could help you but you should copy your searches using the Code Sample button (the one neat the attach button), because otherwise I cannot correctly read your question.

Bye.
Giuseppe

ryanmcdermott12 · ‎08-01-2019

hank you giuseppe. the main query returns over 50k results, but the sub-query does not. i should have included that the values being extracted for "login_dye" are strictly numerical. the value being extracted from the main query matches the value being extracted from the sub-query.

here is the query in code sample:
tag=tagname
location="location name"
message="error message"
status=400
| rex field=raw "string from log (?\w+[@]\S+)@string from log"
| rex field=raw "(?\w+)]"
| join type=inner login_dye
[search
tag=tag name
"string from log"
"\"status\":400"
"string from log"
| rex field=field name "(?\w+)"
| eval Date=strftime(_time, "%m-%d-%y")]
| eval user_email="'".user_email."',"
| dedup Date, user_email
| table Date, user_email

Sukisen1981 · ‎07-31-2019

you are performing an inner type join, which means you are looking only for common results in both the searches.
if you remove your join field login_dye are you receiving results?

ryanmcdermott12 · ‎08-01-2019

thank you sukisen, but i think removing the join would not return the results i need. i only want the subset of the main query that includes the results from the sub query.

tag=tag name
location="location name"
message="error message"
status=400
| rex field=raw "string from log (?\w+[@]\S+)@string from log"
| rex field=raw "(?\w+)]"
| join type=inner login_dye
[search
tag=tag name 
"string from log"
"\"status\":400"
"string from log"
| rex field=field name "(?\w+)"
| eval Date=strftime(_time, "%m-%d-%y")]
| eval user_email="'".user_email."',"
| dedup Date, user_email
| table Date, user_email

Two Queries That Return Results Do not Return Results After Join

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms