Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Outer join not working

fvarela
Explorer
‎09-19-2021 02:51 AM

It seem that outer join is not working for me and I have no idea why.
I have this two events:

Event 1 (index="faults"):
 Id = a8015353-18bf-11ec-8b0a-7c2a311251af
AxesId = a7ba0fd6-18bf-11ec-b369-7c2a311251af
TR = 3

Event 2 (index="axes"):
id = a8015354-18bf-11ec-b3bb-7c2a311251af
parent_id = a8015353-18bf-11ec-8b0a-7c2a311251af
table= 10
couch= 30

My main search retrieves Event 1.
I want to use an outer join to retrieve 'table' and 'couch' from Event2. I have two choices to join the events. I have tried both, didn't work:

Event1 AxesId is Event2 id
Event1 Id is Event2 parent_id

This is my query:

 

index="faults" Id=a8015353-18bf-11ec-8b0a-7c2a311251af
| join type=outer AxesId [search index="axes" | rename id AS AxesId]
| table *

 


And this is the output table.

IdAxesIdTRtablecouch
a8015353-18bf-11ec-8b0a-7c2a311251afa8015354-18bf-11ec-b3bb-7c2a311251af3  

 

Event 2 columns are there but have no information.
Any help would be welcomed.
Thanks

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fvarela
Explorer
‎09-19-2021 12:09 PM

That id vs Id capitalization issue was driving me nuts so I fix it so that all the fields are extracted using the same convention (lower case with _ for separating words).
That fixed somehow my issue with the outer join.
Now this query works as expected:

index="faults" id=3bdbced1-1958-11ec-894e-7c2a311251af
|join type=outer axes_id [search index="axes" | rename id as axes_id]
|table tr, table, couch

 So the issue is solved but I don't really know what was wrong with the first query.

View solution in original post

Reply
Solved! Jump to solution
Solution

fvarela
Explorer
‎09-19-2021 12:09 PM

That id vs Id capitalization issue was driving me nuts so I fix it so that all the fields are extracted using the same convention (lower case with _ for separating words).
That fixed somehow my issue with the outer join.
Now this query works as expected:

index="faults" id=3bdbced1-1958-11ec-894e-7c2a311251af
|join type=outer axes_id [search index="axes" | rename id as axes_id]
|table tr, table, couch

 So the issue is solved but I don't really know what was wrong with the first query.

Reply
Solved! Jump to solution

fvarela
Explorer
‎09-19-2021 06:27 AM

Thanks for your help richgalloway but no, it is not working yet.
The output table only has elements from event1

If I replace your code with this (Note that event1 has 'Id' field with capital I while event2 has 'id'):

(index="faults" Id=a8015353-18bf-11ec-8b0a-7c2a311251af) OR
(index="axes")
| eval Id=coalesce(Id, id)
| stats values(*) as * by Id
| table *

 

Then it outputs a table with:
index "faults" -> event1
index "axes" -> all the events on this index

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2021 07:19 AM

Perhaps I got the fields confused.  The field in the by clause of the stats command must be one that contains a value shared by events in both indexes.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2021 06:11 AM

That looks like it should work so I don't understand why it isn't.  Try this alternative.

(index="faults" Id=a8015353-18bf-11ec-8b0a-7c2a311251af) OR
(index="axes")
| eval Id=coalesce(Id, AxesId]
| stats values(*) as * by Id
| table *
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...