Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- join search with condition
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
arandy01
Explorer
03-04-2021
04:13 AM
I have two searches:
search-A gives values like
| type | status | hostname | id | port | Size | base | cache |
| http | OFF | host-1 | 17 | NA | NA | NA | NA |
| http | ON | host-1 | 6 | NA | NA | NA | NA |
| http | ON | host-1 | 15 | NA | NA | NA | NA |
| http | OFF | host-1 | 1 | NA | NA | NA | NA |
| web | OFF | host-2 | 17 | NA | NA | NA | NA |
| web | ON | host-2 | 6 | NA | NA | NA | NA |
| http | ON | host-3 | 15 | NA | NA | NA | NA |
| http | OFF | host-3 | 1 | NA | NA | NA | NA |
Search-B gives value like
| type | status | hostname | id | port | Size | base | cache |
| available | not_processed | host-1 | 17 | NA | NA | NA | NA |
| available | not_processed | host-2 | 17 | NA | NA | NA | NA |
| available | not_processed | host-4 | 15 | NA | NA | NA | NA |
| available | not_processed | host-5 | 1 | NA | NA | NA | NA |
I want to merge two search in such a way that it can check hostname in search-B and if hostname is present in search-A the it should not join/merge that row.. the result should be something like below...
| type | status | hostname | id | port | Size | base | cache |
| http | OFF | host-1 | 17 | NA | NA | NA | NA |
| http | ON | host-1 | 6 | NA | NA | NA | NA |
| http | ON | host-1 | 15 | NA | NA | NA | NA |
| http | OFF | host-1 | 1 | NA | NA | NA | NA |
| web | OFF | host-2 | 17 | NA | NA | NA | NA |
| web | ON | host-2 | 6 | NA | NA | NA | NA |
| http | ON | host-3 | 15 | NA | NA | NA | NA |
| http | OFF | host-3 | 1 | NA | NA | NA | NA |
| available | not_processed | host-4 | 15 | NA | NA | NA | NA |
| available | not_processed | host-5 | 1 | NA | NA | NA | NA |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-04-2021
04:27 AM
hi @arandy01,
Try this:
search-A | append [search search-B] | eventstats count(eval(status IN("ON", "OFF"))) as status_count by hostname | where NOT (status_count!=0 AND status="not_processed")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-04-2021
04:27 AM
hi @arandy01,
Try this:
search-A | append [search search-B] | eventstats count(eval(status IN("ON", "OFF"))) as status_count by hostname | where NOT (status_count!=0 AND status="not_processed")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
arandy01
Explorer
03-04-2021
05:27 AM
Hi @manjunathmeti
Thanks for the quick reply...
But it does not work... and only shows results from search-A
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-04-2021
07:19 AM
Updated my answer check now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
arandy01
Explorer
03-04-2021
07:21 PM
Thanks a lot 🙂
works perfectly 🙂
Get Updates on the Splunk Community!
Introducing the Splunk Community Dashboard Challenge!
Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Wednesday, May 29, 2024 | 11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...
