Search: Join / Multisearch: Unterschied zwischen den Versionen
Aus Wiki-WebPerfect
Admin (Diskussion | Beiträge) |
Admin (Diskussion | Beiträge) |
||
| Zeile 19: | Zeile 19: | ||
''With multisearches you can combine data from multiple indexes, really similar to Splunk Joins but faster.'' | ''With multisearches you can combine data from multiple indexes, really similar to Splunk Joins but faster.'' | ||
| + | '''Splunk-Search''' | ||
<pre> | <pre> | ||
| multisearch | | multisearch | ||
Version vom 7. Januar 2021, 14:33 Uhr
Example
In the index "index1" the fields "field1_index2" and "field2_index2" is missing, but in the index "index2" there it is.
"Field1" from "index1" hast the same value as "field1_index2" from "index2" (-> this is the field for merging the data)
Goal: Adding "field2_index2" from "index2" to the main-search of "index1"
Fields of Index1:
- field1
- field2
- field3
Fields of Index2:
- field1_index2
- field2_index2
Multisearch
With multisearches you can combine data from multiple indexes, really similar to Splunk Joins but faster.
Splunk-Search
| multisearch
[search index="Index1" <some_filters_if_needed> earliest=-24h latest=now ...]
[search index="Index2" <some_filters_if_needed> earliest=-24h latest=now ... | rename field1_index2 AS field1]
| stats
latest(field1) as field1
latest(field2) as field2
latest(field3) as field3
by field1
| fields
name, vmid, ciNumber, owner.emailAddress
Join - Add fields from another index to my search
Splunk-Search
index=index1 | sort field1 DESC | join type=left field1 [search index=index2 ealiest=-1d | rename field1_index2 AS field1 | fields field1, field2_index2] | table field1, field2, field3, field2_index2
