cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
manishyadav91
New Member
Member since: ‎09-24-2019
‎06-05-2020
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-24-2019
Activity Feed
View All

Re: results are being truncated in join query

by in Splunk Search
‎09-28-2019 06:44 AM
‎09-28-2019 06:44 AM
Hi Giuseppe, Search 1 : index=server_info platform=redhat message="SYSINFO*" host="*" | dedup host | table host Window kernel version results 29467 Search 2 : | inputlookup Host-Q3.csv | table host Window Result: 15679 Search combined : index=cba_chef platform=redhat message="SYSINFO*" host="*" | lookup Host-Q3.csv host OUTPUT Window | where Window != " " | dedup host | table host Window kernel version results 3599 i dont know why the results are not complete, ideally combined searc should give 15000 events but it doesn't , i have tried all the solutions listed below but same results . is there any other way to to search only limited events/host from the whole load of events. ... View more

Re: results are being truncated in join query

by in Splunk Search
‎09-25-2019 11:20 PM
‎09-25-2019 11:20 PM
Can this be done in any other way ? ... View more

Re: results are being truncated in join query

by in Splunk Search
‎09-25-2019 10:50 PM
‎09-25-2019 10:50 PM
index=server_info platform=redhat message="SYSINFO*" host="*" |lookup host.csv host OUTPUT Window | table host Window kernel version |where Window != " " i tried this too, it only give partial results 4400 instead of 15000 host in csv lookup table. ... View more

Re: results are being truncated in join query

by in Splunk Search
‎09-25-2019 10:24 PM
‎09-25-2019 10:24 PM
yes , the default maxout is 50000 but my search output is 2450000. so i get the first 50000 which includes non relevant events. ... View more

results are being truncated in join query

by in Splunk Search
‎09-25-2019 09:59 PM
‎09-25-2019 09:59 PM
Problem: i have 200000 splunk events from which i only want 15000 events ( like vlookup in excel) Splunk events contain(200000 hosts ) : host version kernel lookuptable contain (15000 hosts): host window i only want result for the host listed in lookup table(15000) i tried using join but it truncates the result . Query : | inputlookup "host.csv" | rename HOST as host | join host [search index=server_info platform=redhat message="SYSINFO*" host="*" ] | table host version kernel window | where window != " " ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM