Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search
Splunk Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Search
Search the Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
6,000 results
Sorted by:
07-13-2022
07:48 AM
Hi Splunkers,
I struggled badly trying to get this solved, but no luck?
I need to join to a different search using the ip_address to get the host name :
Base search for the join: index= X&n...
Labels
- Labels:
-
host
Show results in replies (8)
-
| fields host_name count E_error L_error
-
What is this line supposed to be doing | stats values(hostname) by ip_addresses because after tha...
-
...609)" | stats earliest(_time) as E_error latest(_time) as L_error count by ip | join type=left i...
-
I edited that already if you refresh you won't see it, that was a mistake.
-
It is not clear which events you are trying to "join" with which - where do these events come f...
-
Thanks ITWhisperer, Just as an update, the field that I need to join on need to have the same e...
-
The host name will not be available in the web logs, that's why I join to a different s...
-
...rom the left is joined to which field on the right join - Splunk Documentation
10-14-2022
01:02 PM
...howDeviceProgramOffer AND completion_code=0)
| join type=inner session
[search index=xmo2-aws host=xmo2-prod* sourcetype=oss_app_log "Step completion_code set/reset" (flow_name=UcdeDeviceOnboarding AND step_name=S...
Labels
- Labels:
-
subsearch
Show results in replies (8)
-
without knowing your data, it's a little tricky to give an exact solution, but values(*) as * will ...
-
I would start here for reading. Use the guidance to gradually rebuild from scratch. Joins a...
-
...o the 'join' and then you can use eval to determine which category of your union it belongs to Not t...
-
I should have said, if it meets the 4th criteria as well as all 3 of the first criteria, then it is...
-
this doesn't quite work because the conditions are mutually inclusive. The session has to mee...
-
Also, timechart doesn't work in your example because there is no _time field...
-
still, the timechart command doesn't work without _time field, correct?
-
I was able to get that to work. Thanks for the tips!
08-22-2023
08:58 PM
Hello, How to join data from index and dbxquery without using JOIN, APPEND or stats command? Issue with JOIN: limit of subsearch 50,000 rows or fewer. Missing data. Issue with A...
03-10-2020
09:49 AM
Anything wrong with this join and subsearch? I know there are events which should match based on the 'cs_host' field. Not sure if the rename is confusing things, or my syntax is off slightly.
i...
05-27-2021
01:11 AM
I've read in other posts that using join in Splunk isn't great so I'm looking for a better way to do my search. I want a table of users connected to the company VPN, who are not using a corporate d...
Labels
- Labels:
-
join
02-09-2023
09:11 PM
index=na160 starttime="02/02/2023:00:00:00" endtime="02/02/2023:24:00:00" requestId="TID:131610985000004c2d" |stats count as 240_COUNT by logRecordType | join logRecordType type=outer [search i...
Show results in replies (4)
-
On the right hand side of an eval statement if the field name starts with numbers or contains '.' o...
-
Note that using join is not good practice, as it's rarely necessary in Splunk and has l...
-
Given example is simplified version of query, however in actual requestId is coming from...
-
All good - just it's useful to not start your Splunk life with join - it's really worth getting y...
04-05-2022
07:03 AM
I have 3 indexes that I need to join.
One index is the changes that we have in created in our Service Management tool. The second index is the Post Implementation Reviews (PIR's).&n...
Show results in replies (6)
-
Fieldnames are case-sensitive so try | eval TargetId=if(index="index_prod_sql_ism_pir",Rec...
-
...hich index the event belongs to. Then you can use eventstats to "join" the information | m...
-
I have gotten the above to work. How do I show the PIR status in the table? ...
-
It doesn't look like you are searching the PIR (or Link for that matter) index - try starting the s...
-
Sorry, just not getting what you are saying. I have added the search to the top of the query ...
-
Still no data. I am thinking that somehow the tables are not linking or joining correctly....
06-22-2022
02:07 AM
Hi, I need to join data on my 2 source A and B on the fields "Workitems_URL" and "Work Item URL"
In source B, there is field "Type Name" that all of its join match must have this field c...
Labels
- Labels:
-
join
06-19-2019
08:53 AM
...-----------|---------------2-------------|-----------post---------- |--------xx----------
It means if I get 4 row data in first search, then after join, I need show 8 row data
Forgive my poor English, c...
Show results in replies (6)
-
Are you using the join one or the other one?
-
Hi @jerrytao , The easiest way to do this would be to use a join command: index=cosv2 ul-c...
-
Sorry, the join was wrong also... I have updated it above.
-
...esult -> A | C | D, try this below to join table result -> A| B |C |D Search1 |a...
-
@Vijeta , I need join the result of second search for every ul-ctx-head-span-id, not only that s...
-
...aller-span-id"!=null ul-ctx-head-span-id=1-5D0A0438-736C50A33B81102B75CBA44D | join ul-ctx-head-span-i...
07-21-2021
04:33 AM
Hi All, I want to join two indexes and get a result. Search Query -1 index=Microsoft | eval Event_Date=mvindex('eventDateTime',0) | eval UPN=mvindex('userStates{}.userPrincipalName',0...
Labels
- Labels:
-
join
-
stats
-
transaction
