×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
meghashet21
Loves-to-Learn
Member since: ‎08-05-2022
‎11-15-2024
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-05-2022
View All

Re: Combining 2 queries using append and grouping ...

by in Splunk Enterprise
‎11-14-2024 06:30 AM
‎11-14-2024 06:30 AM
@bowesmana , Query won't be able to share it, but I tried few different ways, 1)Created data model and tried combining using append and union as well, but it's not working when running for large data set which contains nearly 70k records for 15 mins time period, so when I run same query for that individual id it shows no mismatch but in large dataset the data won't be loaded from query 1 2) Created lookup files for each query , and in each file it has the data, but when it's combined using append or union the data is showing as  data doesn't exist in query 1. So suggest how we can proceed further. ... View more

Re: Combining 2 queries using append and grouping ...

by in Splunk Enterprise
‎11-13-2024 03:26 AM
‎11-13-2024 03:26 AM
In my case from each query I'm retrieving few fields from that log using regex and makemv,mvexpand command, so not sure with that changes how I can do it  ... View more

Combining 2 queries using append and grouping the ...

by in Splunk Enterprise
‎11-12-2024 09:23 AM
‎11-12-2024 09:23 AM
I have 2 queries where each query retrieve the fields from different source using regex and combining it using append sand grouping the data using stats by common id and then evaluating the result, but what is happening is before it loads the data from query 2 it's evaluating and giving wrong result with large data set Sample query looks like this index=a component=serviceA "incoming data" | eventstats values(name) as name ,values(age) as age by id1,id2 |append [search index=a component=serviceB "data from" | eventstats values(parentName) as parentName ,values(parentAge) as parentAge by id1,id2] | stats values(name) as name ,values(age) as age, values(parentName) as parentName ,values(parentAge) as parentAge by id1,id2 | eval mismatch= case(isnull(name) AND isnull(age) ," data doesn't exist in serviceA", isnull(parentName) AND isnull(parentAge) ," data doesn't exist in serviceB", true, "No mismatch") | table name,age,parentAge,parentName,mismatch,id1,id2 so in my case with large data before the dat get's loaded from query2 it's giving as data doesn't exist in serviceB, even though there is no mismatch. Please suggest how we can tackle this situation, I tried using join , but it's same ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-15-2024 03:20 AM