Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why does my search only return one event?

Ragate
Explorer
‎06-25-2018 12:33 PM

I have joined two searches together. My search only returns one event that everything matches up but there are more than just one.
This is my search:

source="C:\\Users\\ragate\\Desktop\\splunk\\LMCustomerRevLicense.csv" | join type=left substr('context.custom.dimensions{}.LicenseKey',4,7) [search source="c:\\users\\ragate\\desktop\\splunk\\jsondump.txt"] | eval LicenseKeyID=substr('context.custom.dimensions{}.LicenseKey',4,7) | where 'LicenseKeyID'='License Key Identifier' |

Any suggestions?

Tags (3)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-28-2018 12:12 PM

Can you provide us with a sample jsondump.txt and csv?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-25-2018 02:05 PM

Change type=left to type=outer on the join.

0 Karma
Reply

Ragate
Explorer
‎06-25-2018 02:08 PM

Did not work

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-25-2018 02:31 PM

Ok can you eval out the substring and use the field name in the join as opposed to the substring?

join type=outer fieldName

As opposed to

join type=outer substring(....

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-25-2018 02:39 PM

Like this

 source="C:\\Users\\ragate\\Desktop\\splunk\\LMCustomerRevLicense.csv" |eval LicenseKeyID=substr('context.custom.dimensions{}.LicenseKey',4,7)| join type=outer LicenseKeyID [search source="c:\\users\\ragate\\desktop\\splunk\\jsondump.txt]

Removed the where too

0 Karma
Reply

Ragate
Explorer
‎06-28-2018 12:01 PM

Sorry for the late response but this did not work either.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...