Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why do I get a 400 stanza error when using a join command in searches?

tb5821
Communicator
‎08-23-2018 08:28 AM

I tried to add a simple join onto my search but Splunk throws a 400 error 

{"messages":[{"type":"FATAL","text":"Missing or malformed messages.conf stanza for SEARCHFACTORY:UNKNOWN_OP__namespace"}]}

<Search>
| eventstats earliest(count) as earliest_count,earliest(_time) as earliest_time,latest(_time) as latest_time, latest(count) as latest_count by namespace
| where latest_count=earliest_count
| eval l_time=strftime(latest_time,"%m/%d/%y %H:%M:%S")
| eval e_time=strftime(earliest_time,"%m/%d/%y %H:%M:%S")
| eval time_since_last = latest_time - earliest_time
| fieldformat time_since_last = tostring(time_since_last, "duration")
| join namespace
    [source="/var/log/lag/mongostats.txt" namespace=* earliest=-12h@s 
    | eval namespace=trim(replace(namespace,"vodcoe-vdm.",""))]
Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-23-2018 10:33 AM

Try adding the search command to the join.

... | join namespace
     [search source="/var/log/lag/mongostats.txt" namespace=* earliest=-12h@s 
     | eval namespace=trim(replace(namespace,"vodcoe-vdm.",""))]
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎08-23-2018 10:52 PM

i hope this issue is not related to join command..
In the middle of the SPL, we can not have this [source=abc .... ],

with a search command, it will become a complete SPL..

join namespace [source="/var/log/lag/mongostats.txt" namespace=* earliest=-12h@s
| eval namespace=trim(replace(namespace,"vodcoe-vdm.",""))]

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-23-2018 10:33 AM

Try adding the search command to the join.

... | join namespace
     [search source="/var/log/lag/mongostats.txt" namespace=* earliest=-12h@s 
     | eval namespace=trim(replace(namespace,"vodcoe-vdm.",""))]
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎08-23-2018 10:52 PM

i hope this issue is not related to join command..
In the middle of the SPL, we can not have this [source=abc .... ],

with a search command, it will become a complete SPL..

join namespace [source="/var/log/lag/mongostats.txt" namespace=* earliest=-12h@s
| eval namespace=trim(replace(namespace,"vodcoe-vdm.",""))]

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-24-2018 11:50 AM

Searches/subsearches need to start with a command. "source" is not a command, but search is. There is an implicit search at the beginning of every query, but not in subsearches.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...