Splunk Search

help on join command which truncate events

jip31
Motivator

Hello

The join comamnd below truncate events because I have results if I execute the ode before the join command but I havent results if I execute the second part

Considering that my company dont want to increase the subsearch limit, which other solutions I can apply please??

 

| inputlookup lookup_patches
| search Standard_PC=1 AND StateName="Non-Compl" 
| search OSVersion="*" 
| search HOSTNAME=302013154
| join HOSTNAME 
    [| inputlookup lookup_fo_all 
    | fields SITE RESPONSIBLE_USER DEPARTMENT HOSTNAME BUILDING_CODE ROOM TYPE CATEGORY STATUS ] 
| stats last(SITE) as Site, last(BUILDING_CODE) as Building, last(ROOM) as Room, last(RESPONSIBLE_USER) as Responsible, last(DEPARTMENT) as Department, count by HOSTNAME FileName StateName OSVersion

 

Labels (1)
Tags (1)
0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

hi @jip31,

You use lookup command:

| inputlookup lookup_patches where Standard_PC=1 StateName="Non-Compl" OSVersion="*" HOSTNAME=302013154
| lookup lookup_fo_all HOSTNAME OUTPUT SITE RESPONSIBLE_USER DEPARTMENT BUILDING_CODE ROOM TYPE CATEGORY STATUS
| stats last(SITE) as Site, last(BUILDING_CODE) as Building, last(ROOM) as Room, last(RESPONSIBLE_USER) as Responsible, last(DEPARTMENT) as Department, count by HOSTNAME FileName StateName OSVersion

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma

jip31
Motivator

hi

I have done this but performances are very bad because I have more than 60000 devices....

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...