Solved: Re: join on 2 fields

renems · ‎05-02-2016

I have a list of servers, osname & version and a lookup with products, versions and end-of-support dates. Each product (Operating system in this case, has an entry per version. So version 4 of a certain OS has it's own out-of-support date, version 5 another supportdate. etc.

I would like to create an overview, and tell of each server what it's suspected out-of-support-date will be, based on it's os AND version.

The problem is that I can join the two, but it will only match on the product name (first one). Now every server has the same out-of-support date, regardless of it's version.

So, how can I join on two fields, instead of just one? I tried join Product, Version [ | inputlookup .. already, but without success.

Any help appreciated!

renems · ‎05-02-2016

I don't know why, but when I reverse the join it seems to work.

View solution in original post

patrick_muller · ‎05-02-2016

What are you what to do is this?

than you can compare the different versions

where Version!=LastVersion

renems · ‎05-02-2016

I don't know why, but when I reverse the join it seems to work.

woodcock · ‎05-02-2016

But join has limits that stats does not. You may not notice clearly enough to regret this approach!

woodcock · ‎05-02-2016

Like this:

...  | stats values(*) AS * BY Product Version

join on 2 fields

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

join on 2 fields

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2