cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
AverageMale
Engager
Member since: ‎09-21-2016
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎09-21-2016
View All

Re: How can I join two searches on a common field?

by in Splunk Search
‎09-22-2016 10:26 AM
‎09-22-2016 10:26 AM
Your last update seems to have done the trick! Thank you so much! ... View more

Re: How can I join two searches on a common field?

by in Splunk Search
‎09-22-2016 09:52 AM
‎09-22-2016 09:52 AM
This appears to find the occurrences I am looking for but I have to drill down against each pin to confirm as the returned results are noted as: 1234567 NO/YES 5445435 NO/YES ... ... Rather than the actual expected results noted in my original post: "doYouBowl":"YES", "pin":"1234567", "name":"Billy" "doYouBowl":"NO", "pin":"1234567", "name":"Mike" Is there a way to get this results? ... View more

Re: How can I join two searches on a common field?

by in Splunk Search
‎09-22-2016 09:02 AM
‎09-22-2016 09:02 AM
Hi Rich7177, Sorry, I didn't emphasize on the major criteria that the query is to find all cases where records exists that have the same "pin" but different values for "doYouBowl"? This is why I wanted to use the join operation. I tried your solutions the query just looked for where the row contained "pin" and reported stats on it regardless if "doYouBowl" had same or different values. Any ideas? Thanks. ... View more

How can I join two searches on a common field?

by in Splunk Search
‎09-21-2016 08:54 PM
‎09-21-2016 08:54 PM
This is my sample logs in [bowlers]: "doYouBowl":"YES", "pin":"123", "name":"Billy" "doYouBowl":"NO", "pin":"456", "name":"Bob" "doYouBowl":"NO", "pin":"123", "name":"Mike" Expected results is that the "pin" number must match and the resulting join results will be: "doYouBowl":"YES", "pin":"123", "name":"Billy" "doYouBowl":"NO", "pin":"123", "name":"Mike" This is what I came up with by researching, but I get an error at 121-ish, where I try to join on pin and the second search: sourcetype="bowlers" \"doYouBowl\":\"NO\" | rex field=_raw "\"(?<pin>\d+)\"" | join pin [\"doYouBowl\":\"YES\" | rex field=_raw "\"(?<pin>\d+)\""] Looking at the answers here, got suggestions to use transactions or (translate?), but want to get this join to work first and foremost. Any assistance would be appreciated. Thank you. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All