![]() Then you can define if to maintain all the UserIds or only the ones with both the statuses.Ībout your search, try to use quotes in the IN values. ![]() Is it possible to join the two searches, based on the join criteria within 60 seconds of the time of either log. Youtube For Videos Join Our Youtube Channel: Join. However, I have noticed that one of the fields in the second search, does not always show the correct value. Any column may have equal value in multiple instances, which is a multivalued field in the Splunk lookup. | eval status=if(status_count=2,"both",status) I have joined two searches by index, with some success. | stats dc(status) AS status_count values(status) AS status BY UserId Maybe if we can see a few events that should be joined, we can see if. Lets find the single most frequent shopper on the Buttercup Games online. Subsearches are enclosed in square brackets within a main search and are evaluated first. The result of the subsearch is then used as an argument to the primary, or outer, search. | eval status=if(name IN (gate-green, gate-blue) AND msg="*First time: *","FirstRequest","Completed") The best way to share these would be to use the code button 101010 to preserve formatting. A subsearch is a search that is used to narrow down the set of events that you search on. If your list of (Id, Accountname) tuples in sourcetypeAccount is < 1GB a lookup is still applicable. | spath input=json path=infoId output=UserId Also, Splunk is designed to handle extremely large lookups fairly efficiently. You can use the inputlookup command to verify that the geometric features on the map are correct. try something like this (obviously I cannot check it): index=customer ((name IN (gate-green, gate-blue) msg="*First time: *") OR name IN (cust-blue, cust-green) msg="*COMPLETED *") But what happens is that each event just gets a single value (g1, g2 or g3) returned for group instead of a multivalued field that contains all matches. join max0 userid inputlookup testgroup.csv table userId group. with the stats command, because it's a very slow and resource eater command.Į.g. Basically the lookup should return all matches as a multivalue field. Click on the Add New button and select CSV File as the Lookup type. I understand that all of us arrive from SQL, but Splunk isn't a database so join command should be avoided all the times it's possible and replaced e.g. In Splunk, navigate to the Settings menu and select Lookups. Hi first, if possible try to avoid to use join command!
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |