Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About lovelyshrm421
lovelyshrm421
Explorer
Member since:
11-22-2021
11-26-2021
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 11-22-2021 |
Activity Feed
- Karma Re: two search queries with join not working for ITWhisperer. 11-26-2021 01:45 AM
- Posted Re: two search queries with join not working on Splunk Search. 11-24-2021 12:02 PM
- Posted Re: two search queries with join not working on Splunk Search. 11-24-2021 09:59 AM
- Posted Re: two search queries with join not working on Splunk Search. 11-24-2021 05:08 AM
- Posted Re: two search queries with join not working on Splunk Search. 11-24-2021 04:42 AM
- Posted Re: two search queries with join not working on Splunk Search. 11-24-2021 03:57 AM
- Posted Re: two search queries with join not working on Splunk Search. 11-23-2021 12:54 AM
- Posted Re: two search queries with join not working on Splunk Search. 11-22-2021 11:58 PM
- Posted Re: two search queries with join not working on Splunk Search. 11-22-2021 06:01 AM
- Posted two search queries with join not working on Splunk Search. 11-22-2021 04:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
11-24-2021
12:02 PM
This seems to be working. Perfect. Thanks alot. Great help. But let me test out few more scenario's for this and if i face any issue will post here. Thanks Again for helping 🙂
... View more
11-24-2021
09:59 AM
Yes, Exactly I have observed that from first query events are like table name -all small case, and from second query table name is in mix case(upper +lower), so is there a way we can change the case(to_lower) before comparing the table and db?
... View more
11-24-2021
05:08 AM
Event for first query- table -claim {"severity": "INFO", "message": "database:local_db schema:dbo table:claim count:1 queue:-1 pipelineuser:l@gmail.com jobname:Job for p1 pk_field:id s_pk_count:324203 \ts_total_count:324203 origin_cnt_date:Wed Nov 24 11:04:31 GMT 2021", "jb_name": "Job for p1", "time": 1637751926} Events for second query- table- claim {"severity": "INFO", "message": "database:local_db schema:dbo table:Claim count:20000 queue:-1 pipelineuser:l@gmail.com jobname:Job for p2", "jb_name": "Job for p2", "time": 1637752834} {"severity": "INFO", "message": "database:local_db schema:dbo table:Claim count:20000 queue:-1 pipelineuser:l@gmail.com jobname:Job for p2", "jb_name": "Job for p2", "time": 1637752776} have you considered using spath to retrieve the fields? No i haven't tried yet.
... View more
11-24-2021
04:42 AM
I changed to | stats sum(cnt) as tb_cnt values(jb) as jb by db tb but still no results from second query.
... View more
11-24-2021
03:57 AM
I need to sum-up the count from second query(both event for claim table field count: 20000 + 20000) and compare with the field s_total_count:324101 from first query and post the difference. Which is not happening .
... View more
11-23-2021
12:54 AM
We have all the table event available in first query. now check the event info i edited. I am thinking something wrong with the join i am using its not able to calculate the count from second query.
... View more
11-22-2021
11:58 PM
first query event- in the below event we are getting count directly in field- s_total_count:2. { [-] jb_name: Job for p1 message: database:local_db schema:dbo table:claim count:1 queue:-1 pipelineuser:l@gmail.com jobname:Job for p1 pk_field:id s_pk_count:2 s_total_count:324101 origin_cnt_date:Tue Nov 23 06:57:49 GMT 2021 severity: INFO time: 1637650742 } Second query- this below query getting the count in the field count:20000 and having multiple events for one table per batch wise, so we need to sum up all the event for the table and compare the count with the first query count and see the difference. event1: { [-] jb_name: Job for p2 message: database:local_db schema:dbo table:Claim count:20000 queue:-1 pipelineuser:l@gmail.com jobname:Job for p2 severity: INFO time: 1637650935 } event2: { [-] jb_name: Job for p2 message: database:local_db schema:dbo table:Claim count:20000 queue:-1 pipelineuser:l@gmail.com jobname:Job for p2 severity: INFO time: 1637650875 }
... View more
11-22-2021
06:01 AM
Even i tried | eval jobname1="Job for p2" as well . its same actually. no results
... View more
11-22-2021
04:48 AM
I have two separate search queries which are working separately but when i am trying to get data by joining them its not giving me any result from second query. first query- index=ads sourcetype="sequel" | eval jobname="Job for p1" | rex field=_raw "schema:(?P<db>[^ ]+)" | rex field=_raw "table:(?P<tb>[^ ]+)" | rex field=_raw "s_total_count:(?P<cnts>[^ ]+)" | rex field=_raw "origin_cnt_date:(?P<dte>[\D]+[\d]+[ ][\d]+[:]+[\d]+[:]+[\d]+[ ][\D]+[\d]+)" | eval date= strptime(dte, "%a %B %d %H:%M:%S") | eval dates=strftime(date, "%Y-%m-%d") | fields db tb cnts dates jobname | where cnts>0 | table dates jobname db tb cnts second query- index=ads sourcetype="isosequel" | rex field=_raw "schema:(?P<db>[^ ]+)" | rex field=_raw "table:(?P<tb>[^ ]+)" | rex field=_raw "count:(?P<cnt>[^ ]+)" | eval jobname1="Job for p2" | stats sum(cnt) as tb_cnt by jobname1 db tb | fields jobname1 db tb tb_cnt |table jobname1 db tb tb_cnt joined query(not working as expected)- index=ads sourcetype="sequel" | eval jobname="Job for p1" | rex field=_raw "schema:(?P<db>[^ ]+)" | rex field=_raw "table:(?P<tb>[^ ]+)" | rex field=_raw "s_total_count:(?P<cnts>[^ ]+)" | rex field=_raw "origin_cnt_date:(?P<dte>[\D]+[\d]+[ ][\d]+[:]+[\d]+[:]+[\d]+[ ][\D]+[\d]+)" | eval date= strptime(dte, "%a %B %d %H:%M:%S") | eval dates=strftime(date, "%Y-%m-%d") | fields db, tb, cnts, dates, jobname | join type=inner db tb [ search(index=ads sourcetype="isosequel") | rex field=_raw "schema:(?P<db>[^ ]+)" | rex field=_raw "table:(?P<tb>[^ ]+)" | rex field=_raw "count:(?P<cnt>[^ ]+)" | rex field=_raw "jobname:Job for (?P<jb>[a-z_A-Z0-9]+)" | stats sum(cnt) as tb_cnt by jb db tb | fields db, tb, tb_cnt, jb] | eval diff = cnts-tb_cnt | table dates, jobname, jb, db, tb, cnts, tb_cnt, diff requirement- I want to compare each db ,table with the second query db, table and get the difference, but i am not getting any result out of second query. any help would be appreciated !!! Thankyou in Advance !!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-26-2021
02:23 PM
|
