Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Join 2 searches to enrich data from other index

sekhar463
Path Finder
‎11-15-2023 02:08 AM

hai all i am using below search to get enrich a field StatusDescription using subsearch 
when i was running sub search alone its gives me results for hostname and StatusDescription

but using below by join StatusDescription field is getting empty values

please correct me 

 

index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" group=tcpin_connections os=Linux
| dedup hostname
| rex field=hostname "(?<hostname>[^.]+)\."
| eval age=(now()-_time)
| eval LastActiveTime=strftime(_time,"%y/%m/%d %H:%M:%S")
| eval Status=if(age<3600,"Running","DOWN")
| rename age AS Age
| eval Age=tostring(Age,"duration")
| table _time, hostname, sourceIp, Status, LastActiveTime, Age
| join type=left hostname
[ search index=index1 sourcetype="new_source1"
| rename NodeName AS hostname
| table hostname, StatusDescription ]
Labels (1)
Labels
0 Karma
Reply

sekhar463
Path Finder
‎11-15-2023 07:03 AM

its less events only but field value not getting

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-15-2023 07:09 AM

Perhaps it is the data. Can you share some events which aren't being matched correctly?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-15-2023 02:33 AM

Subsearches are limited to 50,000 events. Could this be the issue? Try running the search over a short time period e.g. 5 minutes?

Assuming that is the issue, either reduce your time period to a level that avoids the problem, or rewrite the search to not use subsearches i.e. remove the join.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...