×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mattiasrs
Explorer
Member since: ‎02-05-2021
‎02-26-2021
Community Statistics
Posts 6
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎02-05-2021
Activity Feed
View All

Re: Limited search join

by in Splunk Search
‎02-26-2021 07:42 AM
‎02-26-2021 07:42 AM
Hi Giuseppe and thanks for your reply! I tried your solution but it seems like it is searching through everything from Index B, which is not an option here due to the amount of data in that index. Also, maybe worth mentioning is that the pid field in index B contains data that is not present in Index A so I need it to only consider the top 10 count from Index A. Any idea what I'm doing wrong? ... View more

Limited search join

by in Splunk Search
‎02-26-2021 07:02 AM
‎02-26-2021 07:02 AM
Hello awesome community! I got help from here once before so I will try again. I have two indexes, Index A and Index B. Fields: Index A: id Index B: pid, address I want to retrieve the top 10 count ids from Index A and then join these 10 with Index B to retrieve the address info. This is my search (simplified) to retrieve the top 10 ids from Index A: index = A | stats count by id | sort -count | head 10 Index B is huge so I only want to search it for the top 10 ids found from Index A search above. How can I use the results found from the above search into a search from Index B? Many thanks ... View more
Labels

Re: Left join - find missing data from second inde...

by in Splunk Search
‎02-08-2021 03:47 AM
‎02-08-2021 03:47 AM
Many thanks! ... View more

Re: Left join - find missing data from second inde...

by in Splunk Search
‎02-08-2021 03:38 AM
‎02-08-2021 03:38 AM
Thank you! With this I am able to achieve what I want. Do you know if this is best practice? ... View more

Re: Left join - find missing data from second inde...

by in Splunk Search
‎02-08-2021 01:14 AM
‎02-08-2021 01:14 AM
Hello, No this returns only the raw events, not in a table format. I tried moving |table outside the [ ] but this returns data that exist in both indexes, just not showing the data from index B. ... View more

Left join - find missing data from second index

by in Splunk Search
‎02-05-2021 03:38 AM
‎02-05-2021 03:38 AM
Hello, I am quite new to Splunk and this is my first post. Hoping that I can get some help from this awesome community. I have two systems, System A and System B. System A receives customer information which is then sent to System B . The data in both systems have the exact same fields and a unique Customer ID with the same name in both systems. I want to create a dashboard where I can select a time period and see only problematic customers that only exist in System A, meaning they haven't been sent to System B for some reason. This is my search to see all the data: index=systemA OR index=systemB | fields customer_ID, systemA_Timestamp, systemB_Timestamp | stats values(*) as * by customer_ID | table customer_ID, systemA_Timestamp, systemB_Timestamp   So to summarize, I want to see customer_IDs that only exist in System A. I am not sure which function to use here. I have been experimenting with isnull(systemB_Timestamp) with no success. Join is not an option as the limit of 50 000 might be a problem.   Would be very grateful for any help! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-26-2021 11:03 AM
Karma given to
View All