![]() I didn't expect data against those dates, so I copied the subsearch and ran it in a separate search window, and I can see (as I expected) there's no data from 01-02 thru 01-09 (below). Left Join search with lookup over inputlookup CarmineCalo Path Finder 01-11-2018 08:17 AM Ciao, Im trying to solve the following problem. If I run the query above, I get data in TY18 column from 01-02 thru 01-09 (below). The lookup table can be a CSV lookup or a KV store lookup. Its almost always possible to avoid a join by using some form of stats, but it can sometimes be difficult to imagine the data flowing through the pipeline in Splunk to work out how to manipulate the data to do that joinwithstats. ![]() you might be able to do something like this, if there. I understand a left join to mean that if the results from my subsearch don't match with the main search, it won't be included. Description Use the inputlookup command to search the contents of a lookup table. There are some really good examples in this forum about avoiding join in many cases. try this: inputlookup hosts.csv join typeleft host search indexabc sourectypexyz stats latest(time) as time by host remember that join has limitations and should be avoided if possible. | streamstats sum(18attempts) as 18attempts | stats sum(attempts) as 18attempts by _time | streamstats sum(19attempts) as 19attempts | timechart span=1d dc(intuit_tid) as 19attempts Here is my query (time range is YTD): (splunk_server=indexer* index=wsi_tax_summary sourcetype=stash capability=109* tax_year=2019 ein=* intuit_offeringid=* type Syntax: typeinner outer left Description: Indicates the type of join to perform.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |