Splunk Search

join on 2 fields

renems
Communicator

I have a list of servers, osname & version and a lookup with products, versions and end-of-support dates. Each product (Operating system in this case, has an entry per version. So version 4 of a certain OS has it's own out-of-support date, version 5 another supportdate. etc.

I would like to create an overview, and tell of each server what it's suspected out-of-support-date will be, based on it's os AND version.

The problem is that I can join the two, but it will only match on the product name (first one). Now every server has the same out-of-support date, regardless of it's version.

So, how can I join on two fields, instead of just one? I tried join Product, Version [ | inputlookup .. already, but without success.

Any help appreciated!

Tags (2)
1 Solution

renems
Communicator

I don't know why, but when I reverse the join it seems to work.

View solution in original post

0 Karma

patrick_muller
Explorer

What are you what to do is this?

your search * | table Product, Version | join Product [ | inputlookup | eval LastVersion=Version | table Product LastVersion]

than you can compare the different versions

where Version!=LastVersion

renems
Communicator

I don't know why, but when I reverse the join it seems to work.

0 Karma

woodcock
Esteemed Legend

But join has limits that stats does not. You may not notice clearly enough to regret this approach!

0 Karma

woodcock
Esteemed Legend

Like this:

...  | stats values(*) AS * BY Product Version
0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...