Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

join query not returning result

kajolsharma
Path Finder
‎11-18-2021 07:21 AM

Hi, I have a query below with a join condition .The issue is if I am hardcoding name value I am getting the result but when I'm removing it, not seeing any results plus I m getting this error in screenshot.kajolsharma_0-1637248684855.png

kajolsharma_1-1637248837174.png

Validated that it is not because of space issue .Can somebody suggest?

Labels (3)
Labels
0 Karma
Reply

kajolsharma
Path Finder
‎11-22-2021 02:07 AM

Hi, i have modified the query :

index ="batch_monitoring"|search name=BPSP1060 |rex mode=sed field=name "s/ //g" |table "Activity Name",name,"job name",start,end,status,"Workstation Name _Job"|rename "Workstation Name _Job" as "Workstation"

kajolsharma_0-1637575551044.png

But still I see no results when i use it with join query .

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-22-2021 05:50 AM

Why do you insist on running a query that doesn't match the one in the OP?  It doesn't prove anything.

If a query with a join is not returning expected results then it's necessary to run each side of the join independently and without changes.  Examine the results of those two queries to ensure they return 1) the expected field(s); 2) the field(s) that will be used to join results; and 3) common values in the joined field(s).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kajolsharma
Path Finder
‎11-22-2021 10:46 PM

Output of first query:

kajolsharma_2-1637649632738.png

 

O/p of 2nd query:

kajolsharma_1-1637649587903.png

You can see I have ran the 2 queries separately in the snips above. And you can find that the searched job result is present  in both the results. 

o/p of join query:[No result]

kajolsharma_0-1637650175758.png

o/p of join query by putting a filter on that jobname:  [Its shows the result]

kajolsharma_4-1637649976485.png

I hope you get what I trying to say.

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-18-2021 07:55 AM

Run each "side" of the join command separately.  Verify each returns a field called "name" and that the field has a common value on each side. 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kajolsharma
Path Finder
‎11-18-2021 09:08 AM

Yes, we do have name field in both queries. Refer below screenshot:

kajolsharma_0-1637255260568.png

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-18-2021 12:43 PM

That's not the same query.  Please run this:

index=batch_monitoring | rex mode=sed field=name "s/ //g"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...