Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

simple left join returning too many events

yuvaldo
Engager
‎04-24-2021 04:12 PM

** edit: **

if i add dedup _time,clientip to the left (upper) search, i get 2580 events.

 

Hi, ive got this search:

host=tutorialdata _time=* clientip=*
| eval test1=0
| fields clientip _time test1
| join type=left clientip, _time
[ search host=tutorialdata _time=* clientip=*
| transaction clientip maxspan=6h
| eval test2=1
| fields clientip _time test2]
| eval testFinal= if(test2 == "1","1","0")
| stats sum(testFinal)

 

the search left to the join alone, returns 39532 events. the right one, alone, 2580.

i added the test1, 2, and testFinal to verify the results,  but if i run the whole search it sums up 3457 instead of 2580. whats going on? thanks 🙂

Labels (1)
Labels
0 Karma
Reply

tscroggins
Influencer
‎04-24-2021 05:17 PM

@yuvaldo 

This occurs because there are more than 2580 matching events in the left outer search.

For example, this:

 

sourcetype=access_combined_wcookie source=tutorialdata.zip:* clientip=71.192.86.205 earliest=1617832126 latest=1617832127

 

returns three events; however, this:

 

sourcetype=access_combined_wcookie source=tutorialdata.zip:* clientip=71.192.86.205 earliest=1617832126 latest=1617832127 
| transaction clientip maxspan=6h

 

returns 1 event.

When you join the results, each event in the left outer search joins with the first matching event in the subsearch, and the total number of events remains the same, with each joined event containing the fields added by the subsearch.

Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...