×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
loudc95
Loves-to-Learn Lots
Member since: ‎06-07-2022
‎06-08-2022
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-07-2022
Activity Feed
View All

Re: Inner join subsearch with later time range

by in Reporting
‎06-08-2022 05:42 AM
‎06-08-2022 05:42 AM
Hi @gcusello, Figured it out! The stats values(detail.amount) AS amount was causing problems. Unfortunately this seems to work for everything that has got the completed status in the same time range as the first search, but it isn't finding the ones that change status at a later date. Again, when I search for the ID explicitly then it works, but without it it doesn't appear in the table. ... View more

Re: Inner join subsearch with later time range

by in Reporting
‎06-08-2022 01:32 AM
‎06-08-2022 01:32 AM
Hi @gcusello , No I am looking for an inner join, but am definitely missing results.  When I ran this search, I get 2 results: (auditSource="open-banking" auditType="PaymentResponse") OR (auditSource="open-banking-external-api" auditType="PaymentStatusUpdate" detail.status="Completed" latest=+10d ) | eval id="12345" | stats dc(auditSource) by id But when I run the original search , with a where clause of id="12345", there is only the 1 result from open-banking and not open-banking-external-api. Thanks! ... View more

Re: Inner join subsearch with later time range

by in Reporting
‎06-07-2022 09:26 AM
‎06-07-2022 09:26 AM
This one worked: ((auditSource="open-banking" auditType="PaymentResponse") OR (auditSource="open-banking-external-api" auditType="PaymentStatusUpdate" detail.status="Completed" latest=+10d )) | rename detail.paymentId AS paymentId detail.ecospendPaymentId AS paymentId | convert num(detail.amount) as amount | stats values(detail.amount) AS amount dc(auditSource) AS dc_auditSource values(auditSource) AS auditSource BY paymentId | where dc_auditSource=2 but this is missing a lot of the paymentIds that should be in there 😞 ... View more

Re: Inner join subsearch with later time range

by in Reporting
‎06-07-2022 09:03 AM
‎06-07-2022 09:03 AM
Hi Giuseppe, Thanks for your fast response! Unfortunately this returns no results for me, and upon doing some digging there are now zero results from the second table (auditSource open-banking-external-api). Any ideas? Thanks! ... View more

How to create a search with inner join subsearch w...

by in Reporting
‎06-07-2022 07:25 AM
‎06-07-2022 07:25 AM
Hi Splunk Team, I'm trying to create a query that uses the payment IDs from one table, and only keeps the payment IDs that have a completed status from another table. The completed status can happen at a later date so I would like the subsearch to search within 10 days after the original search. My query seems to work when I search for a specific ID in the subsearch, but when I remove it it returns no results. I'm also open to not using a join/making this more efficient but I wasn't sure how else to do it!   auditSource="open-banking" auditType="PaymentResponse" | fields detail.ecospendPaymentId, detail.amount | convert num(detail.amount) as amount | table detail.ecospendPaymentId, amount | join type=inner detail.ecospendPaymentId [ search auditSource="open-banking-external-api" auditType="PaymentStatusUpdate" detail.status="Completed" latest=+10d  | fields detail.paymentId | rename detail.paymentId as "detail.ecospendPaymentId" ] | dedup "detail.ecospendPaymentId" | table "detail.ecospendPaymentId", amount   Thank you! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-08-2022 08:18 AM