Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

subsearch help

changwoo
Communicator
‎01-09-2014 01:57 AM

i have a two tables
one is rating
user_id=xxxx
movie_id = zzzz
rating = yyyy

second is movie
movie_id = kkkk
name = pppp

using this field i want to find the 20 top rated moive name

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

linu1988
Champion
‎01-09-2014 02:17 AM

Hello,
Try this if you don't have overlapping records.

sourcetype=xx|fields user_id,movie_id,rating|sort - rating|head 20|join movie_id[|search sourcetype=yy|fields movie_id,name]|table movie_id,movie_name,rating

We may also have many movies with same rating:

sourcetype=xx|fields user_id,movie_id,rating|top 20 rating by user_id,movie_id|fields user_id,movie_id,rating|join movie_id[|search sourcetype=yy|fields movie_id,movie_name]|table movie_id,movie_name,rating

updated query per user input (use as it is)

sourcetype=rate |fields rate_user_id,rate_movie_id,rate_rating,rate_duration|sort - rate_rating | head 20| rename rate_movie_id as movie_id | join movie_id [search sourcetype = movie | fields movie_id, movie_name]|table movie_id, movie_name, rate_rating

View solution in original post

Reply
Solved! Jump to solution
Solution

linu1988
Champion
‎01-09-2014 02:17 AM

Hello,
Try this if you don't have overlapping records.

sourcetype=xx|fields user_id,movie_id,rating|sort - rating|head 20|join movie_id[|search sourcetype=yy|fields movie_id,name]|table movie_id,movie_name,rating

We may also have many movies with same rating:

sourcetype=xx|fields user_id,movie_id,rating|top 20 rating by user_id,movie_id|fields user_id,movie_id,rating|join movie_id[|search sourcetype=yy|fields movie_id,movie_name]|table movie_id,movie_name,rating

updated query per user input (use as it is)

sourcetype=rate |fields rate_user_id,rate_movie_id,rate_rating,rate_duration|sort - rate_rating | head 20| rename rate_movie_id as movie_id | join movie_id [search sourcetype = movie | fields movie_id, movie_name]|table movie_id, movie_name, rate_rating
Reply
Solved! Jump to solution

linu1988
Champion
‎01-10-2014 01:10 AM

rate_movie_id and movie_id are related you will get the result or we are doing nothing with this query.

0 Karma
Reply
Solved! Jump to solution

changwoo
Communicator
‎01-09-2014 08:41 PM

do I have to add comparing command?

looking to my search command there is no comparing command

like rate_movie_id quals movie_id

0 Karma
Reply
Solved! Jump to solution

changwoo
Communicator
‎01-09-2014 06:57 PM

sourcetype=rate|fields rate_user_id,rate_movie_id,rate_rating,rate_duration|top 1 rate_rating by rate_movie_id

this is working very well

i deleted the space and inserted "|"

but no result is comming out .

this is my search command

sourcetype=rate|fields rate_user_id,rate_movie_id,rate_rating,rate_duration|top 1 rate_rating by rate_movie_id | join rate_movie_id[ | search sourcetype= movie | fields movie_id, movie_name] | table movie_id, movie_name, rate_rating

0 Karma
Reply
Solved! Jump to solution

changwoo
Communicator
‎01-09-2014 05:59 PM

| join is not working..

sourcetype=rate |fields rate_user_id,rate_movie_id,rate_rating,rate_duration|sort -rate_rating | head 20| join rate_movie_id[|search sourcetype = movie | fields movie_id, movie_name]|table movie_id, movie_name, rate_rating

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎01-09-2014 08:40 AM

Thank you for the suggestion, i have changed it 🙂

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-09-2014 06:44 AM

you can move "sort" and "head" before "join" as well, for little better performance.

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...