All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to join or lookup results from one search to another for table output?

GeorgeStarkey
Path Finder
‎10-31-2014 01:46 PM

in the vmware app the following pieces exist

index=vmware-perf
moid mem_used mem_committed

index=vmware-inv
moid changeSet.name

changeset.name is the actual hostame of the vm's so endusers can easily identify.

I want to run something like this:
index=vmware-perf sourcetype=vmware:perf:mem moid=vm* | eval overuse=mem_committed-mem_used | stats min(overuse) by moid,mem_committed,mem_used | dedup moid

HOWEVER I then want to join (or lookup/remap) the changeSet.name from the other index based on the moid so that I can end up with a table that shows:

changeSet.name moid mem_committed mem_used overuse
host1 vm-5619 65222 32001.238281 33220.761719
host2 vm-822 65138 35497.636719 29640.363281
etc..

This is probably a simple join, but I can't quite get it to function

Reply
1 Solution
Solved! Jump to solution
Solution

GeorgeStarkey
Path Finder
‎10-31-2014 02:12 PM

I have solved this myself with:

index=vmware-perf
sourcetype=vmware:perf:mem moid=vm*
mem_committed>1 | join moid [search
index=vmware-inv moid=*
changeSet.name=vm*] | eval
overuse=mem_committed-mem_used | stats
min(overuse) by
changeSet.name,moid,mem_committed,mem_used
| dedup moid

though this is still very slow. there must be a faster way.

View solution in original post

Reply
Solved! Jump to solution
Solution

GeorgeStarkey
Path Finder
‎10-31-2014 02:12 PM

I have solved this myself with:

index=vmware-perf
sourcetype=vmware:perf:mem moid=vm*
mem_committed>1 | join moid [search
index=vmware-inv moid=*
changeSet.name=vm*] | eval
overuse=mem_committed-mem_used | stats
min(overuse) by
changeSet.name,moid,mem_committed,mem_used
| dedup moid

though this is still very slow. there must be a faster way.

Reply
Solved! Jump to solution

mipeters_splunk
Splunk Employee
Splunk Employee
‎07-31-2017 03:40 PM

the faster way would be to use data models and use the |tstats command with summariesonly. Good luck !!!!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...