Hey, I am joining results from 2 different csv files from 2 different indexes Below query worked for Join command, can you please let me know how to modify this to map command ? index="Join1" | table Employee_ID, Department, Name, Salary, "PF Opted" | join type=outer Employee_ID [search index="Join2" | table Employee_ID, "Rewards _ Recognition", Year]
Hi, It would be something like below, index="Join1" | table Employee_ID, Department, Name, Salary, "PF Opted" | map [ search index="Join2" Employee_ID=$Employee_ID$ | table Employee_ID, "Rewards _ Recognition", Year ] Now couple of points, 1. Just curious to know why you need to implement map here. map, join these commands are not good performance wise. The best solution would be in this case to use lookup or subsearch. 2. By default map search returns the fields from the map subsearch only. if you need fields from the outer search you need to pass those values in inside search as eval, just like I did for Employee id.
@@splunk_ml Thank u so much for detailed answer. Yes I would rather use lookup in this case. But just wanted to test how join works in this scenario. Thanks again :)
Hi Sid, Wanna say a big thanks to you , videos are really helpful, keep up the good work !!! I have a query: I have a search that counts the appearance of an userID. The first column is the userID, the second is the count. I want a third column in that table, where the email ID for the userID is listed. The email ID is now in a csv file. The first column in this file is the userID, the second is the email ID. How can i compare the splunk search result and the csv file? The result should look like this: userID count Email ID And also is there a way to send an email alert to the corresponding userID's, email ID , whose value we get from the first query. (userID is dynamic) Thanks in Advance
Hi Kiran, For your first question you can create a lookup. For your second question you can send the user id as token to email alert action. Please refer the below link, docs.splunk.com/Documentation/Splunk/7.3.1/Alert/EmailNotificationTokens
@@splunk_ml Thanks for the reply... could you please give the query combining both my questions into one...just the query, for the email alert I will check the docs
Your Splunk videos are brilliant and very informative. Keep up the good work!
you can press control + pipe to auto sort search query :) and this is the best channel ever created for splunk..
Thank you.. Learned something new today... 👍
¡Gracias!
Gr8 Effort, very helpful.
Very informative 👍👍
Hi, i am trying to do full outer join where I want all unmatched rows of left and right query. Could you please help?
Not possible in splunk :)
i have a list of strings in search result. can map command be used to just search a string(unindexed field) for the result result. ?
Can you give me one example? It would be easier for me to assist.
Any links to your previous tutorial ? “Getgenere” is abstract for me here
Hi Shashank,
Here it is.
th-cam.com/video/sJRTIyZZtbM/w-d-xo.html
Sid
Hey,
I am joining results from 2 different csv files from 2 different indexes
Below query worked for Join command, can you please let me know how to modify this to map command ?
index="Join1"
| table Employee_ID, Department, Name, Salary, "PF Opted"
| join type=outer Employee_ID
[search index="Join2"
| table Employee_ID, "Rewards _ Recognition", Year]
Hi,
It would be something like below,
index="Join1"
| table Employee_ID, Department, Name, Salary, "PF Opted"
| map [
search index="Join2" Employee_ID=$Employee_ID$
| table Employee_ID, "Rewards _ Recognition", Year
]
Now couple of points,
1. Just curious to know why you need to implement map here. map, join these commands are not good performance wise. The best solution would be in this case to use lookup or subsearch.
2. By default map search returns the fields from the map subsearch only. if you need fields from the outer search you need to pass those values in inside search as eval, just like I did for Employee id.
@@splunk_ml Thank u so much for detailed answer. Yes I would rather use lookup in this case. But just wanted to test how join works in this scenario. Thanks again :)
Hi Sid,
Wanna say a big thanks to you , videos are really helpful, keep up the good work !!!
I have a query:
I have a search that counts the appearance of an userID. The first column is the userID, the second is the count. I want a third column in that table, where the email ID for the userID is listed. The email ID is now in a csv file. The first column in this file is the userID, the second is the email ID. How can i compare the splunk search result and the csv file?
The result should look like this:
userID count Email ID
And also is there a way to send an email alert to the corresponding userID's, email ID , whose value we get from the first query. (userID is dynamic)
Thanks in Advance
Hi Kiran,
For your first question you can create a lookup. For your second question you can send the user id as token to email alert action. Please refer the below link,
docs.splunk.com/Documentation/Splunk/7.3.1/Alert/EmailNotificationTokens
@@splunk_ml Thanks for the reply... could you please give the query combining both my questions into one...just the query, for the email alert I will check the docs
It will be something like below,
| lookup userID as usedID outputnew emailID
@@splunk_ml Thanks a lot for the help, Sid..
Will you be able help me with the question I asked here - stackoverflow.com/questions/55780940/join-two-splunk-queries-without-predefined-fields