Re: Join 2 searches to enrich data from other inde...

sekhar463 · ‎11-15-2023

hai all i am using below search to get enrich a field StatusDescription using subsearch
when i was running sub search alone its gives me results for hostname and StatusDescription

but using below by join StatusDescription field is getting empty values

please correct me

index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" group=tcpin_connections os=Linux
| dedup hostname
| rex field=hostname "(?<hostname>[^.]+)\."
| eval age=(now()-_time)
| eval LastActiveTime=strftime(_time,"%y/%m/%d %H:%M:%S")
| eval Status=if(age<3600,"Running","DOWN")
| rename age AS Age
| eval Age=tostring(Age,"duration")
| table _time, hostname, sourceIp, Status, LastActiveTime, Age
| join type=left hostname
[ search index=index1 sourcetype="new_source1"
| rename NodeName AS hostname
| table hostname, StatusDescription ]

sekhar463 · ‎11-15-2023

its less events only but field value not getting

ITWhisperer · ‎11-15-2023

Perhaps it is the data. Can you share some events which aren't being matched correctly?

ITWhisperer · ‎11-15-2023

Subsearches are limited to 50,000 events. Could this be the issue? Try running the search over a short time period e.g. 5 minutes?

Assuming that is the issue, either reduce your time period to a level that avoids the problem, or rewrite the search to not use subsearches i.e. remove the join.

Join 2 searches to enrich data from other index

data

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?