help on join command which truncate events

jip31 · ‎03-24-2021

Hello

The join comamnd below truncate events because I have results if I execute the ode before the join command but I havent results if I execute the second part

Considering that my company dont want to increase the subsearch limit, which other solutions I can apply please??

| inputlookup lookup_patches
| search Standard_PC=1 AND StateName="Non-Compl" 
| search OSVersion="*" 
| search HOSTNAME=302013154
| join HOSTNAME 
    [| inputlookup lookup_fo_all 
    | fields SITE RESPONSIBLE_USER DEPARTMENT HOSTNAME BUILDING_CODE ROOM TYPE CATEGORY STATUS ] 
| stats last(SITE) as Site, last(BUILDING_CODE) as Building, last(ROOM) as Room, last(RESPONSIBLE_USER) as Responsible, last(DEPARTMENT) as Department, count by HOSTNAME FileName StateName OSVersion

manjunathmeti · ‎03-24-2021

hi @jip31,

You use lookup command:

| inputlookup lookup_patches where Standard_PC=1 StateName="Non-Compl" OSVersion="*" HOSTNAME=302013154
| lookup lookup_fo_all HOSTNAME OUTPUT SITE RESPONSIBLE_USER DEPARTMENT BUILDING_CODE ROOM TYPE CATEGORY STATUS
| stats last(SITE) as Site, last(BUILDING_CODE) as Building, last(ROOM) as Room, last(RESPONSIBLE_USER) as Responsible, last(DEPARTMENT) as Department, count by HOSTNAME FileName StateName OSVersion

If this reply helps you, an upvote/like would be appreciated.

jip31 · ‎03-25-2021

hi

I have done this but performances are very bad because I have more than 60000 devices....

help on join command which truncate events

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!