![]() ![]() If this reply helps you, Karma would be appreciated. inputlookup output.csv append dedup name outputlookup outputs.csv.Its almost always possible to avoid a join by using some form of stats, but it can sometimes be difficult to imagine the data flowing through the pipeline in Splunk to work out how to manipulate the data to do that joinwithstats. The usual method is to read in the CSV, append the results of a search, deduplicate the results, and write them to the CSV. There are some really good examples in this forum about avoiding join in many cases. I expect to see 3 Description text columns: LargeNodeDesc MidSizeNodeDesc SmallNodeDesc, then numeric columns TtlSmallNodes, TtlMidSizeNodes, TtlLargeNodes, and similar 3 numeric columns for Hosts, grouped by their respective descriptions. CSV files must be updated in their entirety. I replace the previous commands with the following set of istructions: join typeleft CI search indexoromajorstatic fields CI lookup DOMServiceCatalogueLookup ApplicationID as CI OUTPUTNEW PrimaryWindows as PrimaryWindows look. SPL is:Äc(eval(if(NodeType="A",NodeID,null()))) as TtlSmallNodesÄc(eval(if(HostType="B",HostD,null()))) as TtlSmallHostÄ«y LargeComputeUnit MidComputeUnit SmallComputeUnitÄc(eval(if(NodeType="A",NodeID,null()))) as TtlMidSizeNodesÄc(eval(if(HostType="B",HostD,null()))) as TtlMidSizeHostÄc(eval(if(NodeType="A",NodeID,null()))) as TtlLargeNodes I solved the problem changing the content of the subsearch. There's actually another Compute unit I forgot named Host, but essentially with same logic. inputlookup dmcassets stats first(serverName) as serverName, first(host) as host, first(machine) as. yes its possible, putting attention that in the output of the subsearch theres also the field used as key in the join (as kamleshvaghela suggested) Anyway, I dont like join because its a very slow command to use only when there isnt any other solution (in other words in the 0.01 of the use cases). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |