Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

join query not returning result

kajolsharma
Path Finder
‎11-18-2021 07:21 AM

Hi, I have a query below with a join condition .The issue is if I am hardcoding name value I am getting the result but when I'm removing it, not seeing any results plus I m getting this error in screenshot.kajolsharma_0-1637248684855.png

kajolsharma_1-1637248837174.png

Validated that it is not because of space issue .Can somebody suggest?

Labels (3)
Labels
0 Karma
Reply

kajolsharma
Path Finder
‎11-22-2021 02:07 AM

Hi, i have modified the query :

index ="batch_monitoring"|search name=BPSP1060 |rex mode=sed field=name "s/ //g" |table "Activity Name",name,"job name",start,end,status,"Workstation Name _Job"|rename "Workstation Name _Job" as "Workstation"

kajolsharma_0-1637575551044.png

But still I see no results when i use it with join query .

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-22-2021 05:50 AM

Why do you insist on running a query that doesn't match the one in the OP?  It doesn't prove anything.

If a query with a join is not returning expected results then it's necessary to run each side of the join independently and without changes.  Examine the results of those two queries to ensure they return 1) the expected field(s); 2) the field(s) that will be used to join results; and 3) common values in the joined field(s).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kajolsharma
Path Finder
‎11-22-2021 10:46 PM

Output of first query:

kajolsharma_2-1637649632738.png

 

O/p of 2nd query:

kajolsharma_1-1637649587903.png

You can see I have ran the 2 queries separately in the snips above. And you can find that the searched job result is present  in both the results. 

o/p of join query:[No result]

kajolsharma_0-1637650175758.png

o/p of join query by putting a filter on that jobname:  [Its shows the result]

kajolsharma_4-1637649976485.png

I hope you get what I trying to say.

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-18-2021 07:55 AM

Run each "side" of the join command separately.  Verify each returns a field called "name" and that the field has a common value on each side. 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kajolsharma
Path Finder
‎11-18-2021 09:08 AM

Yes, we do have name field in both queries. Refer below screenshot:

kajolsharma_0-1637255260568.png

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-18-2021 12:43 PM

That's not the same query.  Please run this:

index=batch_monitoring | rex mode=sed field=name "s/ //g"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...