Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to replace join from the below query?

pstalin_
Engager
‎12-02-2020 11:50 PM

index=105261-cli sourcetype=show_system_resources
| dedup deviceId
| eval nexus_percent_used=round(100*memory_used/memory_total)
| eval nexus_status=if(nexus_percent_used>85, "Not OK", "OK")
| fields deviceId, nexus_percent_used, nexus_status
| append
[ search index=105261-cli sourcetype=show_memory_statistics
| dedup deviceId
| eval ios_percent_used=round(100*used/total)
| eval ios_status=if(ios_percent_used>85, "Not OK", "OK")
| fields deviceId, ios_percent_used, ios_status ]
| join deviceId
[ search index=105261-np sourcetype=device_details
| fields deviceId, productFamily, swVersion, deviceName ]
| eval percent_used=if(like(productFamily, "%Nexus%"), nexus_percent_used, ios_percent_used)
| eval status=if(like(productFamily, "%Nexus%"), nexus_status, ios_status)
| table deviceName, productFamily, swVersion, percent_used, status
| sort -percent_used

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎12-02-2020 11:57 PM

Did you see my reply to your other similar question https://community.splunk.com/t5/Splunk-Search/How-to-replace-join-command-with-any-other-alternative...

The same principle would apply to this search also.

 

0 Karma
Reply

pstalin_
Engager
‎12-03-2020 03:29 AM

(index=148031-cli sourcetype=show_system_resources) OR (index=14031-cli sourcetype=show_memory_statistics) OR (index=148031-np sourcetype=device_details)
|fields deviceId,memory_used,memory_total,used,total,productFamily, swVersion, deviceName
| stats latest(*) as * by deviceId
| eval nexus_percent_used=round(100*memory_used/memory_total)
| eval nexus_status=if(nexus_percent_used > 85, "Not OK", "OK")
| eval ios_percent_used=round(100*used/total)
| eval ios_status=if(ios_percent_used > 85, "Not OK", "OK")
| eval percent_used=if(like(productFamily, "%Nexus%"), nexus_percent_used, ios_percent_used)
| eval status=if(like(productFamily, "%Nexus%"), nexus_status, ios_status)
| table deviceName, productFamily, swVersion, percent_used, status
| sort -percent_used

Tags (1)
0 Karma
Reply

pstalin_
Engager
‎12-04-2020 09:08 PM

@bowesmana Hi I have tried the query as u said before but still I'm not getting the exact events count as I got when I used join. Could you please help me in solving this?

(index=148031-cli sourcetype=show_system_resources) OR (index=14031-cli sourcetype=show_memory_statistics) OR (index=148031-np sourcetype=device_details)
|fields deviceId,memory_used,memory_total,used,total,productFamily, swVersion, deviceName
| stats latest(*) as * by deviceId
| eval nexus_percent_used=round(100*memory_used/memory_total)
| eval nexus_status=if(nexus_percent_used > 85, "Not OK", "OK")
| eval ios_percent_used=round(100*used/total)
| eval ios_status=if(ios_percent_used > 85, "Not OK", "OK")
| eval percent_used=if(like(productFamily, "%Nexus%"), nexus_percent_used, ios_percent_used)
| eval status=if(like(productFamily, "%Nexus%"), nexus_status, ios_status)
| table deviceName, productFamily, swVersion, percent_used, status
| sort -percent_used

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎12-06-2020 03:01 PM

You will need to give an example of the data and some outcomes of the searches otherwise it's hard to diagnose the query

 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...