cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
fvarela
Explorer
Member since: ‎09-19-2021
‎10-03-2022
Community Statistics
Posts 5
Solutions 1
Karma Given 2
Karma Received 1
Member Since ‎09-19-2021
Activity Feed
View All

No matching visualization found for type: Scatter3...

by in Dashboards & Visualizations
‎10-03-2022 01:00 PM
‎10-03-2022 01:00 PM
Hi comunity, I have been using a very nice 3d scatterplot in a dashboard in Splunk cloud (8.2). It was working fine.   Now the visualization is broken. It seems like it has been removed. Can someone please confirm if that is the case? Do we have any alternative for it or knows any workaround to have it working? Thanks in advance for any help.   ... View more
Labels

Choose correct number of indexes for good performa...

by in Getting Data In
‎10-09-2021 08:15 AM
‎10-09-2021 08:15 AM
Hello Splunk community, Let's say my input to Splunk is three csv files that use the following schema. Each csv populate an index: Faults, Incidents and Status For each Faults entry there is one (and just one) Status entry. That Status entry will have parent_id = id of that fault. In the same way there is also a 'Status' entry for each Incident. When I am querying Splunk or making dashboards I have to retrieve information not only from 'Faults' or 'Incident' indexes but also from 'Status'. That makes me use a lot of joining indexes queries like this:   index="faults" |join type=outer status_id [search index="status" | rename id as status_id]   I liked this solution at first because 'Faults' and 'Incident' indexes look very clean, but I have read that these types of SPL queries are computational expensive and I am concerned that perhaps this will not escalate well in the future. Should I perhaps modify the schema and remove the Status index and put all that information in the Faults and Incidents like this? Thank you all a lot in advance for your answers. Fran   ... View more
Labels

Re: Outer join not working

by in Splunk Search
‎09-19-2021 12:09 PM
1 Karma
‎09-19-2021 12:09 PM
1 Karma
That id vs Id capitalization issue was driving me nuts so I fix it so that all the fields are extracted using the same convention (lower case with _ for separating words). That fixed somehow my issue with the outer join. Now this query works as expected: index="faults" id=3bdbced1-1958-11ec-894e-7c2a311251af |join type=outer axes_id [search index="axes" | rename id as axes_id] |table tr, table, couch  So the issue is solved but I don't really know what was wrong with the first query. ... View more

Re: Outer join not working

by in Splunk Search
‎09-19-2021 06:27 AM
‎09-19-2021 06:27 AM
Thanks for your help richgalloway but no, it is not working yet. The output table only has elements from event1 If I replace your code with this (Note that event1 has 'Id' field with capital I while event2 has 'id'): (index="faults" Id=a8015353-18bf-11ec-8b0a-7c2a311251af) OR (index="axes") | eval Id=coalesce(Id, id) | stats values(*) as * by Id | table *   Then it outputs a table with: index "faults" -> event1 index "axes" -> all the events on this index ... View more

Outer join not working

by in Splunk Search
‎09-19-2021 02:51 AM
‎09-19-2021 02:51 AM
It seem that outer join is not working for me and I have no idea why. I have this two events: Event 1 (index="faults"):  Id = a8015353-18bf-11ec-8b0a-7c2a311251af AxesId = a7ba0fd6-18bf-11ec-b369-7c2a311251af TR = 3 Event 2 (index="axes"): id = a8015354-18bf-11ec-b3bb-7c2a311251af parent_id = a8015353-18bf-11ec-8b0a-7c2a311251af table= 10 couch= 30 My main search retrieves Event 1. I want to use an outer join to retrieve 'table' and 'couch' from Event2. I have two choices to join the events. I have tried both, didn't work: Event1 AxesId is Event2 id Event1 Id is Event2 parent_id This is my query:   index="faults" Id=a8015353-18bf-11ec-8b0a-7c2a311251af | join type=outer AxesId [search index="axes" | rename id AS AxesId] | table *   And this is the output table. Id AxesId TR table couch a8015353-18bf-11ec-8b0a-7c2a311251af a8015354-18bf-11ec-b3bb-7c2a311251af 3       Event 2 columns are there but have no information. Any help would be welcomed. Thanks     ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎10-03-2022 04:20 PM
Karma from
View All
Karma given to
View All