×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
tlunruh
New Member
Member since: ‎06-14-2018
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-14-2018
Activity Feed
Topics I've Started
View All

Re: Mismatch with values in Join

by in Splunk Search
‎06-14-2018 02:29 PM
‎06-14-2018 02:29 PM
Thanks @somesoni2. I ran your new search and it gave me different data, but I am still not sure it is right. I am sure I am trying to use Splunk JOINs like SQL (which I am very familiar with) and not understanding the overhead/results. What I am really trying to get (for the first pass), is the STYPE from index=edi for each matching TRACKINGNUMBER in index=edi-2 . index=edi has TRCK and STYPE fields; index=edi-2 has TRACKINGNUMBER and DATE fields. I want to JOIN (or use an alternative) the two indexex on TRACKINGNUMBER/TRCK and return the count of STYPE. Does that make sense? ... View more

Mismatch with values in Join

by in Splunk Search
‎06-14-2018 12:34 PM
‎06-14-2018 12:34 PM
When I run this query: index=edi-2 | join type=inner TRACKINGNUMBER [search index=edi | rename TRCK AS TRACKINGNUMBER] | stats count(TRACKINGNUMBER) BY STYPE I get these results: STYPE count(TRACKINGNUMBER) 01 2140 08 38 10 284 13 1122 22 539 25 349 29 4 32 236 However, if I add this where clause: index=edi-2 | join type=inner TRACKINGNUMBER [search index=edi | rename TRCK AS TRACKINGNUMBER | where STYPE=08 OR STYPE=29] | stats count(TRACKINGNUMBER) BY STYPE I get this: STYPE count(TRACKINGNUMBER) 08 166 29 4572 WTH?? How is that possible? Shouldn't 08 and 29 match up with the first set of results?? What am I missing with this? Thanks! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM