Splunk Search

join query not returning result

kajolsharma
Path Finder

Hi, I have a query below with a join condition .The issue is if I am hardcoding name value I am getting the result but when I'm removing it, not seeing any results plus I m getting this error in screenshot.kajolsharma_0-1637248684855.png

kajolsharma_1-1637248837174.png

Validated that it is not because of space issue .Can somebody suggest?

Labels (3)
0 Karma

kajolsharma
Path Finder

Hi, i have modified the query :

index ="batch_monitoring"|search name=BPSP1060 |rex mode=sed field=name "s/ //g" |table "Activity Name",name,"job name",start,end,status,"Workstation Name _Job"|rename "Workstation Name _Job" as "Workstation"

kajolsharma_0-1637575551044.png

But still I see no results when i use it with join query .

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Why do you insist on running a query that doesn't match the one in the OP?  It doesn't prove anything.

If a query with a join is not returning expected results then it's necessary to run each side of the join independently and without changes.  Examine the results of those two queries to ensure they return 1) the expected field(s); 2) the field(s) that will be used to join results; and 3) common values in the joined field(s).

---
If this reply helps you, an upvote would be appreciated.
0 Karma

kajolsharma
Path Finder

Output of first query:

kajolsharma_2-1637649632738.png

 

O/p of 2nd query:

kajolsharma_1-1637649587903.png

You can see I have ran the 2 queries separately in the snips above. And you can find that the searched job result is present  in both the results. 

o/p of join query:[No result]

kajolsharma_0-1637650175758.png

o/p of join query by putting a filter on that jobname:  [Its shows the result]

kajolsharma_4-1637649976485.png

I hope you get what I trying to say.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Run each "side" of the join command separately.  Verify each returns a field called "name" and that the field has a common value on each side. 

---
If this reply helps you, an upvote would be appreciated.
0 Karma

kajolsharma
Path Finder

Yes, we do have name field in both queries. Refer below screenshot:

kajolsharma_0-1637255260568.png

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That's not the same query.  Please run this:

index=batch_monitoring | rex mode=sed field=name "s/ //g"
---
If this reply helps you, an upvote would be appreciated.
0 Karma