Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About chinchin96
chinchin96
New Member
Member since:
05-27-2017
06-05-2020
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 05-27-2017 |
Activity Feed
- Posted Save auto-extracted fields' mini-dashboards from verbose search as named dashboard panels on Splunk Search. 08-05-2017 11:55 AM
- Tagged Save auto-extracted fields' mini-dashboards from verbose search as named dashboard panels on Splunk Search. 08-05-2017 11:55 AM
- Tagged Save auto-extracted fields' mini-dashboards from verbose search as named dashboard panels on Splunk Search. 08-05-2017 11:55 AM
- Tagged Save auto-extracted fields' mini-dashboards from verbose search as named dashboard panels on Splunk Search. 08-05-2017 11:55 AM
- Posted Re: Combine two record sets where a distinct value matches (without using join) on Splunk Search. 05-29-2017 01:31 PM
- Posted Re: Combine two record sets where a distinct value matches (without using join) on Splunk Search. 05-28-2017 08:21 PM
- Posted Re: Combine two record sets where a distinct value matches (without using join) on Splunk Search. 05-28-2017 08:17 PM
- Posted Re: Combine two record sets where a distinct value matches (without using join) on Splunk Search. 05-27-2017 05:47 PM
- Posted Combine two record sets where a distinct value matches (without using join) on Splunk Search. 05-27-2017 04:40 PM
- Tagged Combine two record sets where a distinct value matches (without using join) on Splunk Search. 05-27-2017 04:40 PM
- Tagged Combine two record sets where a distinct value matches (without using join) on Splunk Search. 05-27-2017 04:40 PM
Topics I've Started
08-05-2017
11:55 AM
When you run a standard search query (say, in verbose mode), it auto-extracts fields and displays them on the left. When you click on them you get a mini-dashboard panel that tells you a lot of useful information.
Is there a way to save that mini-dashboard (or be able to convert it to a query) so that I can save it to a named dashboard?
(Btw, I realize that you can click on the items in the mini-dashboard to drill into it but I don't just want the drill-down info…)
Thanks!
... View more
05-29-2017
01:31 PM
Thank @woodcock! This explanation is very useful!
... View more
05-28-2017
08:21 PM
Thanks @woodcock! This worked as well. Also had to add
| table _time survey_uid partial_email assigned_card
to get the column order right. So, much like @somesoni2, I love that your method works but I don't kno why. Can you walk me through the logic?
Also, both your query and @somesoni2 seem to be pretty fast. Does Splunk have a preference between the two?
... View more
05-28-2017
08:17 PM
Thanks @somesoni2! This worked (after noticing timestamp was mispelled on line 7. :-))
The only issue I saw is that for records in the final display that didn't have a username (not all records do), there was not a timestamp shown even though one exists. I changed isnotnull to isnull and it seemed to work. I then added a
| table _time eventid username cardnum
to the end to get the order presented in the question.
So, while it all works now, I don't know that I could explain how. I'd love to be able to use your method again in the future but don't know I can follow the logic. Can you help me understand it?
... View more
05-27-2017
05:47 PM
Oops. You're right @rich7177. Just updated it.
... View more
05-27-2017
04:40 PM
I have a search that generates two distinct types of record entries (searching for "for event"):
2015-05-05 for event 201216053940303kljdwlj for recipient Geogm
2015-05-05 card 12345678910 for event 201216053940303kljdwlj
Fields I created:
201216053940303kljdwlj = eventid
Geogm = username (it's always 6
characters long and at the end of the
line)
12345678910 = cardnum
I want a table that shows the username and eventid of the first type of record and combines it with the card number where the eventid is a match, showing something like the following:
Time , username , eventid , cardnum
2015-05-05 , Geogm , 201216053940303kljdwlj , 12345678910
I think I got this working using join, but would like a different way to achieve it due to performance issues of using join.
My current query:
index=myindex source="source1" OR source="source2" "for recipient"
| extract pairdelim="|;,", kvdelim="=:", auto=f
| rex field=_raw "(?<username>\s......$)"
| search username!=""
| rex field=_raw "event (?<eventid>.(\w+))"
| search eventid !=""
| table _time username eventid
| join eventid [search index=myindex source="source1" OR source="source2" "for event"
| extract pairdelim="|;,", kvdelim="=:", auto=f
| rex field=_raw "card (?<cardnum>.(\w+))"
| search cardnum !=""
| rex field=_raw "event (?<eventid>.(\w+))"
| search eventid !=""
| table eventid cardnum]
This is simlar to the question shown here: answers.splunk.com/answers/443909/how-do-i-joincombine-my-two-search-searches-to-get.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev but it did not receive an accepted answer
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
