×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Harold9000
New Member
Member since: ‎04-02-2018
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-02-2018
Activity Feed
View All

Re: Why is Join not returning all events?

by in Splunk Search
‎04-02-2018 09:50 AM
‎04-02-2018 09:50 AM
All I am trying to accomplish is take data set A. Modify it so it contains a new attribute managerEmpType. The value can be 1 or 2. This is data set B. Take original data set A, which contains an attribute called manager. Then build a query that says show me every record where the manager attribute in data set A has a managerEmpType value=1 in data set B. ... View more

Re: Why is Join not returning all events?

by in Splunk Search
‎04-02-2018 09:47 AM
‎04-02-2018 09:47 AM
Thank you. It appears the moderator was kind enough to do it for me. ... View more

Re: Why is Join not returning all events?

by in Splunk Search
‎04-02-2018 09:11 AM
‎04-02-2018 09:11 AM
Yes. It was most definitely a typo. Another commenter suggested I "declare" the manager in the first query. All I am trying to accomplish is create data set B with column managerEmpType. The value can be 1 or 2. Take original data set A, which contains an attribute called manager. Then build a query that says show me every record where the manager attribute in data set A has a managerEmpType value=1 in data set B. Make sense? ... View more

Why is Join not returning all events?

by in Splunk Search
‎04-02-2018 07:19 AM
‎04-02-2018 07:19 AM
[|tstats latest(source) as source where source="F:\\FTPROOT\\Splunk Inputs\\IDM_*.csv" | fields source] returns 245,546 events [|tstats latest(source) as source where source="F:\\FTPROOT\\Splunk Inputs\\IDM_*.csv" | fields source] | eval manager="uid="+uid+",ou=users,dc=cardinalhealth,dc=com" | rename employeeType AS managerEmpType | fields manager | table uid managerEmpType returns 245,546 events But when I join them thusly: [|tstats latest(source) as source where source="F:\\FTPROOT\\Splunk Inputs\\IDM_*.csv" | fields source | join manager [search [|tstats latest(source) as source where source="F:\\FTPROOT\\Splunk Inputs\\IDM_*.csv" | fields source] | eval manager="uid="+uid+",ou=users,dc=cardinalhealth,dc=com" | rename employeeType AS managerEmpType | fields manager managerEmpType] table uid managerEmpType I only get 43,440 matches. In theory, the subsearch should return a match for every event in the primary. Am I missing something obvious here? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM