Re: how to replace join?

priyastalin · ‎12-18-2020

Hi, @493669 @MuS @dturnbull_splun @bowesmana

Anyone please help me in replacing join in the below query??

Thanks

to4kawa · ‎12-18-2020

fixed sample:

(index=167515-np sourcetype=hardware physicalType=Chassis) OR (index=167515-np 
    [| `last_np_sourcetype( "index=167515-np", "group_members")` ] groupId=288348 )
| fields deviceId, productType, productId, physicalType, sourcetype 
| stats values(*) as * dc(sourcetype) as flag by deviceId
| where flag > 1
| stats dc(productId) as PIDs by productType 
| search productType=Routers 
| table PIDs

priyastalin · ‎12-20-2020

Hi @to4kawa ,

I didn't get output for this, Could you please help me in solving this?

to4kawa · ‎12-21-2020

I made a mistake and fixed it.

priyastalin · ‎12-21-2020

Hi @to4kawa ,

Couldn't see your solution can you send me again?

Thanks

how to replace join?

join

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation