Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why are results still coming back blank after using join using multiple source type?

pratibha0610
Explorer
‎08-04-2022 02:53 AM

Hi team,

I wonder if someone can help me with the below query.  I have a to combine my two searches with join. With first search i get the assignement group and with second search i get email of those assigment group to send alert. 

i have common values between two sourcetype but field name is different.  in the first serach, field is called dv_name and in second it is called name. Therefore i create name variable before using join. However my field email is still coming blank

 serach:

index=production sourcetype=call
| eval name=dv_name

| join name type=left

[ index=production sourcetype=mail  earliest="04/30/2022:20:00:00" latest=now() | dedup name | stats values (dv_email) values (name) by name]

| eval Email=if(isnull(dv_email), " ", dv_email) 

| table dv_name Email

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-04-2022 04:31 AM

Since you are dedup'ing name, there will only be one value (the first) for dv_email so the stats becomes unnecessary. (The reason you were getting no results is that the field created by the stats command is "values(dv_email)" not dv_email - you could fix this (if you still want to use stats) by stats values(dv_email) as dv_email by name.)

index=production sourcetype=call
| eval name=dv_name

| join name type=left

[ index=production sourcetype=mail  earliest="04/30/2022:20:00:00" latest=now() | dedup name]

| eval Email=if(isnull(dv_email), " ", dv_email) 

| table dv_name Email

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-04-2022 04:31 AM

Since you are dedup'ing name, there will only be one value (the first) for dv_email so the stats becomes unnecessary. (The reason you were getting no results is that the field created by the stats command is "values(dv_email)" not dv_email - you could fix this (if you still want to use stats) by stats values(dv_email) as dv_email by name.)

index=production sourcetype=call
| eval name=dv_name

| join name type=left

[ index=production sourcetype=mail  earliest="04/30/2022:20:00:00" latest=now() | dedup name]

| eval Email=if(isnull(dv_email), " ", dv_email) 

| table dv_name Email
Reply
Solved! Jump to solution

pratibha0610
Explorer
‎08-04-2022 05:02 AM

@ITWhisperer  thanks a lot!! my search worked.

I also wanted to check one thing for setting up alert to send mail to Email address popped in result. Will the below solution work?

Enable send email alert action and in to: field set $result.Email$ 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...