help on join command which truncate events

jip31 · ‎03-24-2021

Hello

The join comamnd below truncate events because I have results if I execute the ode before the join command but I havent results if I execute the second part

Considering that my company dont want to increase the subsearch limit, which other solutions I can apply please??

| inputlookup lookup_patches
| search Standard_PC=1 AND StateName="Non-Compl" 
| search OSVersion="*" 
| search HOSTNAME=302013154
| join HOSTNAME 
    [| inputlookup lookup_fo_all 
    | fields SITE RESPONSIBLE_USER DEPARTMENT HOSTNAME BUILDING_CODE ROOM TYPE CATEGORY STATUS ] 
| stats last(SITE) as Site, last(BUILDING_CODE) as Building, last(ROOM) as Room, last(RESPONSIBLE_USER) as Responsible, last(DEPARTMENT) as Department, count by HOSTNAME FileName StateName OSVersion

manjunathmeti · ‎03-24-2021

hi @jip31,

You use lookup command:

| inputlookup lookup_patches where Standard_PC=1 StateName="Non-Compl" OSVersion="*" HOSTNAME=302013154
| lookup lookup_fo_all HOSTNAME OUTPUT SITE RESPONSIBLE_USER DEPARTMENT BUILDING_CODE ROOM TYPE CATEGORY STATUS
| stats last(SITE) as Site, last(BUILDING_CODE) as Building, last(ROOM) as Room, last(RESPONSIBLE_USER) as Responsible, last(DEPARTMENT) as Department, count by HOSTNAME FileName StateName OSVersion

If this reply helps you, an upvote/like would be appreciated.

jip31 · ‎03-25-2021

hi

I have done this but performances are very bad because I have more than 60000 devices....

help on join command which truncate events

other

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...