![]() Then someone can correct me or tell me that I have a defective Splunk or something like that: OK, so I figured out what was going on and I'd like to explain. Hope this is enough information to clearly understand the problem. Help me! I'm drowning.īe gentle, this is my first discussion topic. I can run the two separately, extract the data into excel and do a vlookup to get the results I want, but I need this to be in the report/search. which I think worked, but still didn't tell me which index applied to each sourcetype. I even just tried to use the second search as a subsearch of the first search to limit the sourcetypes to ONLY the ones returned in the tstats search. I tried to use join with the max=0 and type=inner and it only returned a handful of rows (less than 1000) and only for a few of the index/sourcetype combinations. I tried to use appendcols and the number of rows between the first search and the second search don't match, so only the first handful of rows get an index and the index doesn't match up with the sourcetype. I tried to use append and it just adds the additional sourcetype/index rows below the actual results (not as a new column). I want to join these results to make a single table of: Results: (example - roughly 86 rows returned) | tstats count where (index=BlackPearl OR index=Tortuga OR index=Swashbuckler) by index, sourcetype | table sourcetype, index IMPORTANT: The index of all of these is " _internal", not the actual index that the source data comes from. Index="_internal" source="*metrics.log" per_index_thruput series=autoshell host=lelsplunkix* | eval GB=kb/(1024*1024) | timechart span=12h sum(GB) as GB by series The two searches I would like to join are: And I've been through the pages reviewing the subsearch, append, appendcols, join and selfjoin. But this discussion doesn't have a solution. The closest discussion that looks like what I am shooting for is: How to join two searches on a common field where the value of the left search matches all values of. If there is one that works for this issue, please simply direct me to the correct discussion. Let me know if I need to clarify anything else.I have read through almost every Join label topic on the Splunk Community page and I don't seem to see one that fits my problem. In other words, I want to find the first time that xxname said hello in conversation and how in messages.ĭisplay a table that shows: name,TIME of the last call (corresponding to that name), TIME of the first time the word hello was said in the values of the conversation field, TIME of the first time the word how was said in the values of the messages field. These two fields contain values that look like paragraphs. When it comes to messages and conversations, I want to find the first time that each field had a value containing the specific word(hello and how correspondingly). ![]() I can see how that contradicts the purpose of 'join' but I couldn't find another way to do it.ġ. I want to find a way that it displays all the events and that if a certain time (or word) cannot be found then it will just stay blank. As I added the 'join' I could tell that the number of statistics decreased. ![]() Both first_hello and first_how, are displaying the same time.Ģ. | table name, call_time, first_hello, first_howġ. | stats earliest(_time) as first_how by name [ search index=xxx source=xxx sourcetype=xxx messages="\*how\*" | stats earliest(_time) as first_hello by name ![]() ![]() [ search index=xxx source=xxx sourcetype=xxx conversation="\*hello\*" | stats latest(name) as name, latest(call_time) as call_time Here's what I have so far: index= xxx source=xxx sourcetype=xxx However, I am running into error when I use the earliest command twice. I am a new splunk user and I want to create a stats table showing different findings of an event using fields. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |