Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why does my search only return one event?

Ragate
Explorer
‎06-25-2018 12:33 PM

I have joined two searches together. My search only returns one event that everything matches up but there are more than just one.
This is my search:

source="C:\\Users\\ragate\\Desktop\\splunk\\LMCustomerRevLicense.csv" | join type=left substr('context.custom.dimensions{}.LicenseKey',4,7) [search source="c:\\users\\ragate\\desktop\\splunk\\jsondump.txt"] | eval LicenseKeyID=substr('context.custom.dimensions{}.LicenseKey',4,7) | where 'LicenseKeyID'='License Key Identifier' |

Any suggestions?

Tags (3)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-28-2018 12:12 PM

Can you provide us with a sample jsondump.txt and csv?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-25-2018 02:05 PM

Change type=left to type=outer on the join.

0 Karma
Reply

Ragate
Explorer
‎06-25-2018 02:08 PM

Did not work

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-25-2018 02:31 PM

Ok can you eval out the substring and use the field name in the join as opposed to the substring?

join type=outer fieldName

As opposed to

join type=outer substring(....

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-25-2018 02:39 PM

Like this

 source="C:\\Users\\ragate\\Desktop\\splunk\\LMCustomerRevLicense.csv" |eval LicenseKeyID=substr('context.custom.dimensions{}.LicenseKey',4,7)| join type=outer LicenseKeyID [search source="c:\\users\\ragate\\desktop\\splunk\\jsondump.txt]

Removed the where too

0 Karma
Reply

Ragate
Explorer
‎06-28-2018 12:01 PM

Sorry for the late response but this did not work either.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...