Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

join on 2 fields

renems
Communicator
‎05-02-2016 05:51 AM

I have a list of servers, osname & version and a lookup with products, versions and end-of-support dates. Each product (Operating system in this case, has an entry per version. So version 4 of a certain OS has it's own out-of-support date, version 5 another supportdate. etc.

I would like to create an overview, and tell of each server what it's suspected out-of-support-date will be, based on it's os AND version.

The problem is that I can join the two, but it will only match on the product name (first one). Now every server has the same out-of-support date, regardless of it's version.

So, how can I join on two fields, instead of just one? I tried join Product, Version [ | inputlookup .. already, but without success.

Any help appreciated!

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

renems
Communicator
‎05-02-2016 06:54 AM

I don't know why, but when I reverse the join it seems to work.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

patrick_muller
Explorer
‎05-02-2016 12:16 PM

What are you what to do is this?

your search * | table Product, Version | join Product [ | inputlookup | eval LastVersion=Version | table Product LastVersion]

than you can compare the different versions

where Version!=LastVersion

Reply
Solved! Jump to solution
Solution

renems
Communicator
‎05-02-2016 06:54 AM

I don't know why, but when I reverse the join it seems to work.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-02-2016 07:24 AM

But join has limits that stats does not. You may not notice clearly enough to regret this approach!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-02-2016 05:55 AM

Like this:

...  | stats values(*) AS * BY Product Version
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

How Edge Processor's Durable Queue Works

Edge Processor sits in one of the most consequential places in any Splunk pipeline: between your data sources ...

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...