I am trying to set up a report with a search string that works OK.
Unfortunately, only internal Ids are used in the log entries. To make the report readable, I am trying to set up a join that will exchange the internalId with a descriptive name in the final output.
To make things easier, I have dumped the database table with two columns, internalId and description to a csv file.
Search A:
| inputcsv machinesdump.csv | table internalId description
This works fine as it is, showing the two columns with reasonable values. The csv-file is read and parsed correctly.
My main search works fine too, except for the the internalId being dsiplayed instead of the description.
Search B:
index="errorIndex"
source="*-error.log"
Machine LogEntryEntity
| eval temp=split(_raw,"|") | eval txt=mvindex(fields,3)| ... | eval internalId=mvindex(foo, 1)
| stats count by internalId | sort -num(count)
This also works as expected, counting failing machines with the top failing machine on the top of the list, except we show internal Id of the machines with their count.
I tried merging the two searches:
index="errorIndex"
source="*-error.log"
Machine LogEntryEntity
| eval temp=split(_raw,"|") | eval txt=mvindex(fields,3)| ... | eval internalId=mvindex(foo, 1)
| join internalId [ | inputcsv machinesdump.csv | table internalId description ]
| stats count by description | sort -num(count)
No entries found.
I am currently experimenting on Splunk Light Free Version 6.3.0, but the target is a running Splunk Enterprise version. Did I botch the join setup? Am I using the wrong action?
... View more