Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

join command in splunk

splunkn
Communicator
‎05-07-2015 04:49 AM

Hi ,

I need to extract the host list which are belonging to certain applications ( Listed in my Lookup table )
Need to find which hosts are getting connected to Deployment server and after that need to pick out the hosts which are present in the lookup table. I have used join in my query. It works fine.

index=internal host=abcsdf "/services/broker/phonehome/connection" | rex "(?i)^(?:[^.]*.){10}\d+(?P<remote_host>.+?)" | rex "(?i).com(?P<remote_host>.+?)_" | dedup remote_host |rename remote_host as hostname| join hostname[|inputlookup applist] | stats distinct_count(hostname)

Any alternate idea to this?
Will join consume more time to run?

Thanks in advance

Tags (1)
0 Karma
Reply

stephanefotso
Motivator
‎05-07-2015 05:23 AM

Yes join consume more time to run. I think you will be interested by the link bellow:

http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi...

SGF
0 Karma
Reply

splunkn
Communicator
‎05-07-2015 06:07 AM

Stephane,,
Many Thanks and could you please explain a bit to compare events with lookup table as in my scenario.

0 Karma
Reply

stephanefotso
Motivator
‎05-07-2015 07:15 AM

ok. in your case that is what you could do to avoid join:

index=internal host=abcsdf "/services/broker/phonehome/connection" | rex "(?i)^(?:[^.]*.){10}d+(?P<remote_host>.+?)" | rex "(?i).com(?P<remote_host>.+?)_" | dedup remote_host |rename remote_host as hostname| lookup applist.csv hostname| stats distinct_count(hostname)

SGF
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...