Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to "join" two different searches with no common fields?

CarmineCalo
Path Finder
‎01-18-2018 05:19 AM

Splunkers!

I need to join the follow inputlookup + event searche in order to have, for each AppID, the full set of month buckets given from the time range picker
Example:

Search 1 (Fromm inputlookup):
App1
App2
...

Search 2 (from index search)
Month 1
Month 2
...

Desired outcome:

App1 Month1
App1 Month2
App1 ...
App2 Month1
App2 Month2
App2 ...
... ...

Here the code for the two searches

Search 1

| inputlookup DOM_ApplicationCatalogue
| search Status="Production"

| stats count by ApplicationID

Search 2
| search index=Incidents
| dedup id_inc
| timechart span=1mon count
| eval datemonth_year=strftime(_time,"%Y-%m")
| fields count datemonth_year]

Any help?

Tks!
Carmine

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-18-2018 05:40 AM

you can try something like

| inputlookup DOM_ApplicationCatalogue 
| search Status="Production" 
| stats count by ApplicationID 
| appendcols 
    [ search index=Incidents 
    | dedup id_inc 
    | timechart span=1mon count 
    | eval datemonth_year=strftime(_time,"%Y-%m") 
    | fields count datemonth_year]

let me know if this helps !

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-18-2018 05:40 AM

you can try something like

| inputlookup DOM_ApplicationCatalogue 
| search Status="Production" 
| stats count by ApplicationID 
| appendcols 
    [ search index=Incidents 
    | dedup id_inc 
    | timechart span=1mon count 
    | eval datemonth_year=strftime(_time,"%Y-%m") 
    | fields count datemonth_year]

let me know if this helps !

0 Karma
Reply
Solved! Jump to solution

CarmineCalo
Path Finder
‎01-18-2018 06:04 AM

No, unfortunately it's not working...

It generate something like (hyp that Month = (Month 1, Month 2)

App1 Month 1
App2 Month 2
App3
App4
...

Carmine

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-18-2018 06:28 AM

if you are interested in just desired outcome then you can try something like this I may be wrong...but you will not be able to show count in this because logically linking count is not possible i think

app1 month1
app1 month2
app2 month1
app2 month2
..and so on

| inputlookup DOM_ApplicationCatalogue 
| search Status="Production" 
| stats count by ApplicationID 
| fields ApplicationID 
| appendcols 
    [ search index=Incidents 
    | dedup id_inc 
    | timechart span=1mon count 
    | eval datemonth_year=strftime(_time,"%Y-%m") 
    | fields datemonth_year ] 
| stats list(ApplicationID) as ApplicationID list(datemonth_year) as datemonth_year 
| mvexpand ApplicationID 
| mvexpand datemonth_year

let me know if this helps!

Reply
Solved! Jump to solution

CarmineCalo
Path Finder
‎01-18-2018 07:00 AM

Only one additional thing...

list(ApplicationID) create a field with "only" 100 value inside (my list of APpID is 4k+!)
How can i increase the number of values to listed?
Unfortunately "limit" option not works with stats...

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-18-2018 07:25 AM

Hey use values(ApplicationID) as ApplicationID

0 Karma
Reply
Solved! Jump to solution

CarmineCalo
Path Finder
‎01-18-2018 10:27 AM

Great! It works now 🙂

0 Karma
Reply
Solved! Jump to solution

CarmineCalo
Path Finder
‎01-18-2018 06:35 AM

Now It works!
Tks!

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...