Hi All,
I have a SPL query that runs on an index , sourcetype which has milions of jobnames.
I want to my SPL to read through a list of jobnames from a different query and use it as subsearch OR I have created a lookup.csv for this 16,000 list of jonames and want to run my search on it.
How to do that ?
Main SPL that runs on millions of jobnames : earliest=-7d index=log-13120-nonprod-c laas_appId=qbmp.prediction* "jobPredictionAnalysis" prediction lastEndDelta | table jobname, prediction_status, predicted_end_time Below is an input lookup
freq_used_jobs_bmp_3months.csv which is a simple two columnar file
jobName, freq_count
I tried to join main query with this inputfile. I want to operate and write SPL queries on this list of jobNames only.
earliest=-7d index=log-13120-nonprod-c laas_appId=qbmp.prediction* "jobPredictionAnalysis" prediction lastEndDelta | table jobname, prediction_status, predicted_end_time
| lookup freq_used_jobs_bmp_3months.csv jobName output freq_count
|table jobname, freq_count
The above query fails with error na_prod_secure-ist-indexer-1_iapp724.randolph.ms.com-23000] Streamed search execute failed because: Error in 'lookup' command: Could not construct lookup 'freq_used_jobs_bmp_3months.csv, jobName, output, freq_count'. See search.log for more details I removed any null rows in the file. Still I get the same error. Other option is to somehow combine, join main query with a sub search instead of a lookup file. main query
earliest=-7d index=log-13120-nonprod-c laas_appId=qbmp.prediction* "jobPredictionAnalysis" prediction lastEndDelta | table jobname, prediction_status, predicted_end_time
sub search that will list a smaller number of jobNames that are used in last 3 months :
earliest=-90d index="log-13120-prod-c" sourcetype="autosys_service_secondary:app" OR "autosys_service_primary:app" "request:JobSearch" installation="P*" NOT"*%*" | stats count as freq_count by jobName
Now how to join the above two?
... View more