Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

how to replace join in this query?

pstalin_
Engager
‎12-14-2020 03:30 AM

Hi,

Anyone please help me in rewplacing join in this below query

index=168347-np [ | `last_np_sourcetype("index=168347-np","hardware")`] (physicalType=*) | fields physicalElementId deviceId
| join deviceId [ search index=168347-np [| `last_np_sourcetype( "index=168347-np", "group_members")` ] groupId=300543 | fields deviceId ]
| stats dc(physicalElementId) as Devices

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dmarling
Builder
‎12-15-2020 05:59 AM

I was informed that it's sourcetypes and not in the _raw.  Here's the adjusted solution:

index=168347-np 
    ([| `last_np_sourcetype("index=168347-np","hardware")`] (physicalType=*)) OR
    ([| `last_np_sourcetype( "index=168347-np", "group_members")` ] groupId=290681)
| fields physicalElementId deviceId sourcetype
| stats values(sourcetype) as sourcetype values(physicalElementId) as physicalElementId by deviceId
| search sourcetype=hardware sourcetype=group_members
| stats dc(physicalElementId) as Devices
If this comment/answer was helpful, please up vote it. Thank you.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

pstalin_
Engager
‎12-14-2020 05:35 AM

Anyone please help me on this

Tags (1)
0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎12-14-2020 10:30 AM

@pstalin_ , please try this;

index=168347-np 
    [| `last_np_sourcetype("index=168347-np","hardware")`] OR ( 
    [| `last_np_sourcetype( "index=168347-np", "group_members")` ] groupId=300543) 
| stats dc(physicalElementId) as Devices

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

pstalin_
Engager
‎12-14-2020 08:08 PM

@scelikok 

"index=168347-np [ | `last_np_sourcetype("index=168347-np","hardware")`] (physicalType=*) | fields physicalElementId deviceId
| join deviceId [ search index=168347-np [| `last_np_sourcetype( "index=168347-np", "group_members")` ] groupId=290681 | fields deviceId ]
| stats dc(physicalElementId) as Devices"

 

This queries contains the fields physicalElementId deviceId and deviceid has common but U didn't used this in your query I'm getting different answer.

0 Karma
Reply
Solved! Jump to solution

dmarling
Builder
‎12-15-2020 05:29 AM

In order to properly answer this question we need to know how the "hardware" and "group_members" are being used in the last_np_sourcetype macro.  Is there a specific field where those values are being searched?  Is it just in the raw event somewhere?  If it is in the raw event then the below query would work but it's not as efficient as it would be if we knew the exact field that these values are expected in:

index=168347-np 
    ([| `last_np_sourcetype("index=168347-np","hardware")`] (physicalType=*)) OR
    ([| `last_np_sourcetype( "index=168347-np", "group_members")` ] groupId=290681)
| fields physicalElementId deviceId _raw
| stats values(_raw) as raw values(physicalElementId) as physicalElementId by deviceId
| search raw=*hardware* raw=*group_members*
| stats dc(physicalElementId) as Devices
If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Solved! Jump to solution
Solution

dmarling
Builder
‎12-15-2020 05:59 AM

I was informed that it's sourcetypes and not in the _raw.  Here's the adjusted solution:

index=168347-np 
    ([| `last_np_sourcetype("index=168347-np","hardware")`] (physicalType=*)) OR
    ([| `last_np_sourcetype( "index=168347-np", "group_members")` ] groupId=290681)
| fields physicalElementId deviceId sourcetype
| stats values(sourcetype) as sourcetype values(physicalElementId) as physicalElementId by deviceId
| search sourcetype=hardware sourcetype=group_members
| stats dc(physicalElementId) as Devices
If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Solved! Jump to solution

pstalin_
Engager
‎12-15-2020 07:59 PM

@dmarling 

Hi,

I think its working thank you so much.

0 Karma
Reply
Solved! Jump to solution

dmarling
Builder
‎12-15-2020 09:41 PM

I'm glad it's working.  Please mark the solution as accepted to help future individuals.  Thank you!

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...