Aktuelle Version vom 25. Januar 2021, 14:33 Uhr

Example

In the index "index1" the fields "field1_index2" and "field2_index2" is missing, but in the index "index2" there it is.
"Field1" from "index1" hast the same value as "field1_index2" from "index2" (-> this is the field for merging the data)

Goal: Adding "field2_index2" from "index2" to the main-search of "index1"

Fields of Index1:

field1
field2
field3

Fields of Index2:

field1_index2
field2_index2

Multisearch

With multisearches you can combine data from multiple indexes, really similar to Splunk Joins but faster.

Splunk-Search

| multisearch
    [search index="Index1" <some_filters_if_needed> earliest=-24h latest=now ...]
    [search index="Index2" <some_filters_if_needed> earliest=-24h latest=now ... | rename field1_index2 AS field1]
| stats
    latest(field1) as field1
    latest(field2) as field2
    latest(field3) as field3
    by field1 
| fields
    name, vmid, ciNumber, owner.emailAddress

Join - Add fields from another index to my search

Splunk-Search

index=index1
| sort field1 DESC
| join type=left field1 [search index=index2 ealiest=-1d | rename field1_index2 AS field1 | fields field1, field2_index2]
| table field1, field2, field3, field2_index2

@@ Zeile 1: / Zeile 1: @@
-== Add fields from another index to my search ==
+= Example =
 In the index "index1" the fields "field1_index2" and "field2_index2" is missing, but in the index "index2" there it is.<br>
-"Field1" from "index1" hast the same value as "field1_index2" from "index2" <br>
+"Field1" from "index1" hast the same value as "field1_index2" from "index2" (-> this is the field for merging the data) <br>
 '''Goal:''' Adding "field2_index2" from "index2" to the main-search of "index1"
 Fields of Index1:
@@ Zeile 15: / Zeile 14: @@
 *field2_index2
+== Multisearch ==
+''With multisearches you can combine data from multiple indexes, really similar to Splunk Joins but faster.''
+'''Splunk-Search'''
+<pre>
+| multisearch
+    [search index="Index1" <some_filters_if_needed> earliest=-24h latest=now ...]
+    [search index="Index2" <some_filters_if_needed> earliest=-24h latest=now ... | rename field1_index2 AS field1]
+| stats
+    latest(field1) as field1
+    latest(field2) as field2
+    latest(field3) as field3
+    by field1
+| fields
+    name, vmid, ciNumber, owner.emailAddress
+</pre>
+== Join - Add fields from another index to my search ==
 '''Splunk-Search'''
   index=index1
@@ Zeile 25: / Zeile 45: @@
-index=adm_hyperveventcollector "System.Channel"="Microsoft-Windows-Hyper-V-VMMS-Admin" ("System.EventID"=20415 OR "System.EventID"=20413 OR "System.EventID"=20417)
-| rename "System.Execution.@ThreadID" AS ThreadID
-| rename "System.Execution.@ProcessID" AS ProcessID
+[[Kategorie:Splunk]]
-| rename "UserData.VmlEventLog.Parameter0" AS VM
-| rename "UserData.VmlEventLog.Parameter1" AS VM-ID
-| rename "System.Computer" AS Source
-| transaction ThreadID, VM-ID mvlist="UserData.VmlEventLog.Parameter2" startswith="initiated the live migration of" endswith="successfully completed the live migration"
-| eval Destination=mvindex('UserData.VmlEventLog.Parameter2',0)
-| eval BlackoutTime=mvindex('UserData.VmlEventLog.Parameter2',1)
-| eval time="System.TimeCreated.@SystemTime"
-| eval EndTime=_time+duration
-| eval StartTime=_time
-| convert timeformat="%d.%m.%y %H:%M:%S.%f" ctime(StartTime)
-| convert timeformat="%d.%m.%y %H:%M:%S.%f" ctime(EndTime)
-| where eventcount=2
-| sort EndTime DESC
-| join type=left Destination [search index=adm_compute_qcheck  earliest=-1d | rename *.* as ** | rename *{}* as ** | rename *{}* as ** | rename source AS Destination | fields Destination, ClusterName ]

Search: Join / Multisearch: Unterschied zwischen den Versionen

Aktuelle Version vom 25. Januar 2021, 14:33 Uhr

Example

Multisearch

Join - Add fields from another index to my search

Navigationsmenü

Meine Werkzeuge

Namensräume

Varianten

Ansichten

Aktionen

Suche

Navigation

Informatik

Werkzeuge

Drucken/exportieren