Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

help on join subsearch

jip31
Motivator
‎11-07-2019 06:13 AM

Hello
The first part of the search below (before join) works fine and the second part (after join) works fine too
But when I launch the entire search it doesnt works because I can retrieve the field "Geoloc"
What is the problem please??

[| inputlookup host.csv 
    | table host] `diskspace` 
| eval time = strftime(_time, "%m/%d/%Y %H:%M") 
| eval FreeSpace = FreeSpaceKB/1024 
| eval FreeSpace = round(FreeSpace/1024,1) 
| eval TotalSpace = TotalSpaceKB/1024 
| eval TotalSpace = round(TotalSpace/1024,1) 
| lookup test.csv HOSTNAME as host output SITE DESCRIPTION_MODEL ROOM COUNTRY 
| stats latest(FreeSpace) as FreeSpace latest(TotalSpace) as TotalSpace values(DESCRIPTION_MODEL) as Model values(SITE) as Site values(COUNTRY) as Country values(ROOM) as Room by host 
| where FreeSpace <= 1132 AND TotalSpace >= 64 
| eval FreeSpace=FreeSpace." GB", TotalSpace=TotalSpace." GB" 
| rename FreeSpace as "Free space", TotalSpace as "Total space" 
| search Country=France 
| join host type=outer
    [| search `toto` 
    | rename USERNAME as host 
    | lookup test2.csv NAME as AP_NAME OUTPUT Building 
    | stats last(Building) as "Geoloc" by host ] 
| table host "Free space" "Total space" Model Site Country "Geoloc" Room 
| sort +"Free space"
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2019 06:39 AM

Hi jip31,
at first try to change in lower (or upper) case host both in main search and subsearch.

In addition check how many results you have in the subsearch because there's the limit of 50,000 results in subsearches.
In this case you have to rebuild your search without join or simply change the order: search in main search and inputlookup in subsearch.

In addition, why do you have square brackets at the beginning of the main search?

Anyway, join isn't a performant command (Splunk isn't a database!), so I suggest to rebuild you search without join, something like this:

| inputlookup host.csv  OR `toto` 
| all the evals and other commands
| stats values all fields BY host

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2019 06:39 AM

Hi jip31,
at first try to change in lower (or upper) case host both in main search and subsearch.

In addition check how many results you have in the subsearch because there's the limit of 50,000 results in subsearches.
In this case you have to rebuild your search without join or simply change the order: search in main search and inputlookup in subsearch.

In addition, why do you have square brackets at the beginning of the main search?

Anyway, join isn't a performant command (Splunk isn't a database!), so I suggest to rebuild you search without join, something like this:

| inputlookup host.csv  OR `toto` 
| all the evals and other commands
| stats values all fields BY host

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎11-07-2019 11:08 PM

hi
| eval host=upper(host) change nothing
yes I have more than 50000 events in my subsearch
and I have square brackets at the beginning because in host.csv there is the host which I want to monitore in my main search and in my subsearch...

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-08-2019 12:02 AM

Hi jip31,
try to rebuild your search in a different way:

`toto`
| lookup host.csv host OUTPUT <lookup_fields>
| ...

Ciao.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...