×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
dbizzleforizzle
Observer
Member since: ‎07-23-2024
‎07-23-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-23-2024
View All

Re: Inner join query just doesn't work! See my deb...

by in Splunk Search
‎07-23-2024 12:24 PM
‎07-23-2024 12:24 PM
Thanks for the response and the suggestion.  I want to match on either "Host_Name" or "IP" from the lookup table. The splunk "host" field in our configuration (misconfiguration) returns DNS name for some hosts and IP address for others. (Long Story.) The lookup table has maybe 150 rows, so the subsearch isn't that resource-intensive. Using lookup instead of inputlookup seems like it would be clunky but at this point I just want to make something work, so I'm all ears. To respond to your suggestions/comments:  1. "Join" seems the intuitive, clean option for my use case. The lookup table is small. 2. I don't want to "enrich" my events/logs, I want to filter  them to only return logs based on the Splunk host field matching with Host_Name OR IP fields from the lookup. (But at this point, I will take matching just one of the fields from the lookup table.) Can we construct a query that accomplishes this filter without using join and inputlookup? 3. Can anyone tell me why my query won't work???? ... View more

Inner join query just doesn't work! See my debuggi...

by in Splunk Search
‎07-23-2024 11:57 AM
‎07-23-2024 11:57 AM
 I've been debugging my inner join query for hours, and that's why I'm here with my first question for this community. We have a csv lookup table with fields "Host_Name", "IP", and others, based on our known hosts that should be reporting. Note: in our Splunk logs, for some hosts the splunk "host" field matches the lookup table "Host_Name" field, and some hosts match the "IP" field. For this reason, when we add a new host, we add 2 rows to the lookup, and place the host name and the IP in both fields of the lookup. (Long story.) Our Lookup ("System_Hosts.csv") looks like this: Host_Name          IP Foo Bar ServerA 123.45.6.7 xyz abc 123.45.6.7 ServerA def ghi ServerB ...and so on       Queries that don't work. (This is a very oversimplified stub of the query, but I'm debugging and brought it down to the smallest code that doesn't function): index=myindex | join type=inner host [|inputlookup System_Hosts.csv | fields Host_Name, IP] | table host (Removing one of the fields from the lookup, just in case I don't understand inner join, and the splunk host has to match both "Host_Name" and "IP" lookup fields to return results): index=myindex | join type=inner host [|inputlookup System_Hosts.csv | fields Host_Name] (Removing "type=inner" optional parameter also doesn't work as expected. Inner is default type.)  Queries that DO work: (To verify logs and hosts exist, and visually match the hosts to lookup table:) index=myindex | table host (To verify lookup is accessible, fields and syntax are accurate:) index=myindex | inputlookup System_Hosts.csv | fields Host_Name, IP | table Host_Name, IP (To make me crazy? Outer join works. But this just returns all hosts from every log.) index=myindex | join type=outer host [|inputlookup System_Hosts.csv | fields Host_Name, IP | table host  So these have been verified: spelling of the lookup spelling of the lookup fields permission to access the lookup syntax of the entire query without the "type=inner" optional argument  From my understanding, when this works, the query will return a table with hosts that match entries in the "Host_Name" OR "IP" fields from the lookup. If I don't understand inner join please tell me, but this is secondary to making inner join work at all, because as you can see above, I try to match only the "Host_Name" field with no success. I'm pulling my hair out! Please help! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-23-2024 08:35 PM