Reputation: 41
SPLUNK subsearch 2 CSV Files join together
I have 2 Files with order data saved in two different sourcetypes in splunk. One file contains an orderid, plnum(praefix + orderid (one ordernumer contains 3 plnum)), model (type of the order). The second file contains the same plnum's and Materialnumbers to those plnum's.
I want to search for the top Materials used for one or more Models.
So I searched for how to setup a subsearch:
sourcetype=file1 [search sourcetype=file2 MODEL="someting"| fields MODEL] |stats values(MATNR) by MODEL
I dont know why the subsearch dont work.
Upvotes: 0
Views: 374
Answers (1)
Reputation: 9926
Run the subsearch by itself to verify it works and produces the expected results. I suspect it is working and is returning a list of PLNUMs in the form foo bar baz.... Splunk puts an implicit AND between search terms so your main search is looking for events containing all PLNUMs, which is unlikely.
Try using format in your subsearch. It returns the results in foo OR bar OR baz... format, which should work better in the main search.
sourcetype=file1 [search sourcetype=file2 MODEL="someting"| fields PLNUM | format] |stats values(MATNR) by PLNUM
Upvotes: 0
Related Questions
- Splunk filter one search by another
- SPLUNK use result from first search in second search
- Join two Splunk queries without predefined fields
- New CSV file not syncing with index Splunk
- Search using Lookup from a single field CSV file
- run subquery for each row of csv file passing the field in search string
- Comparing values in two columns of two different Splunk searches
- Splunk: How to add cells of two tables
- show results from two splunk queries into one
- Splunk combining multiple logs