×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
sercankarvar
Observer
Member since: ‎03-24-2022
‎03-24-2022
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-24-2022
Activity Feed
View All

Re: Join Operation Is not working properly

by in Splunk Search
‎03-24-2022 08:18 AM
‎03-24-2022 08:18 AM
Yes it's bringing results from database connection.  ... View more

Re: Join Operation Is not working properly

by in Splunk Search
‎03-24-2022 06:05 AM
‎03-24-2022 06:05 AM
Sorry but in my case I need use loadjob, how I can combine my query with OR and stats?  I have tried with stats as below but it didn't worked either.  index="etl_pipeline_data" environment=prd source=meta_data origin IN (device_properties, gsm_info,backend_transaction) |fields _time,tenant,origin,imei,timestamp, timestamp_device,tz_offset_cest |eval ts_device_epoch=strptime(timestamp_device,"%Y-%m-%dT%H:%M:%S.%3N")| eval ts_device=ts_device_epoch+tz_offset_cest |eval eventdate=strftime(ts_device,"%Y-%m-%d") |stats latest by tenant,origin,imei,ts_device |rename latest(*) as * |stats values(*) by tenant, imei, eventdate |table imei,eventdate |append [|loadjob savedsearch="offboarded:konux_devices_and_features:DEVICE_TRAINPASS_Report_db" | fields imei,eventdate,trains | stats sum(trains) by imei eventdate ] | where imei = 352369082111082 ... View more

Why is the Join Operation Is not working properly?

by in Splunk Search
‎03-24-2022 02:25 AM
‎03-24-2022 02:25 AM
I am seraching as below but my join operation is not bringing results from the join for only couple of imei/records. I have 100 different imei number but only 10 of them are not returning any results.      index="etl_pipeline_data" environment=prd source=meta_data origin IN (device_properties, gsm_info,backend_transaction) |fields _time,tenant,origin,imei,timestamp, timestamp_device,tz_offset_cest |eval ts_device_epoch=strptime(timestamp_device,"%Y-%m-%dT%H:%M:%S.%3N")| eval ts_device=ts_device_epoch+tz_offset_cest |eval eventdate=strftime(ts_device,"%Y-%m-%d") |stats latest by tenant,origin,imei,ts_device |rename latest(*) as * |stats values(*) by tenant, imei, eventdate |join type=left imei [|loadjob savedsearch="xx:yyy:DEVICE_TRAINPASS_Report_db" ] | where imei = 352369082111082 | table imei, eventdate,train2s     As a proof of record in second serach I have tried to check the data type, there is no issues with that.  I also tried below method instead of join but it's not returning any records as well.      index="etl_pipeline_data" environment=prd source=meta_data origin IN (device_properties, gsm_info,backend_transaction) |fields _time,tenant,origin,imei,timestamp, timestamp_device,tz_offset_cest |eval ts_device_epoch=strptime(timestamp_device,"%Y-%m-%dT%H:%M:%S.%3N")| eval ts_device=ts_device_epoch+tz_offset_cest |eval eventdate=strftime(ts_device,"%Y-%m-%d") |stats latest by tenant,origin,imei,ts_device |rename latest(*) as * |stats values(*) by tenant, imei, eventdate |table imei,eventdate |append [|loadjob savedsearch="xx:yyyy:DEVICE_TRAINPASS_Report_db" | fields imei,eventdate,trains ] | where imei = 352369082111082     is there any limitation in Splunk ? Could you please help me to achive this merge operation ?  ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-24-2022 01:41 PM