![]() ![]() You had jobname in your events and jobName in the lookup. Your first attempt might be failing simply due to field names case mismatch. Sub search that will list a smaller number of jobNames that are used in last 3 months :Įarliest=-90d index="log-13120-prod-c" sourcetype="autosys_service_secondary:app" OR "autosys_service_primary:app" "request:JobSearch" installation="P*" NOT"*%*" | stats count as freq_count by jobName Main query earliest=-7d index=log-13120-nonprod-c laas_appId=qbmp.prediction* "jobPredictionAnalysis" prediction lastEndDelta | table jobname, prediction_status, predicted_end_time Other option is to somehow combine, join main query with a sub search instead of a lookup file. Na_prod_secure-ist-indexer-1_.com-23000] Streamed search execute failed because: Error in 'lookup' command: Could not construct lookup 'freq_used_jobs_bmp_3months.csv, jobName, output, freq_count'. | lookup freq_used_jobs_bmp_3months.csv jobName output freq_count I want to operate and write SPL queries on this list of jobNames only. I tried to join main query with this inputfile. Main SPL that runs on millions of jobnames :Įarliest=-7d index=log-13120-nonprod-c laas_appId=qbmp.prediction* "jobPredictionAnalysis" prediction lastEndDelta | table jobname, prediction_status, predicted_end_timeįreq_used_jobs_bmp_3months.csv which is a simple two columnar file I have created a lookup.csv for this 16,000 list of jonames and want to run my search on it. I want to my SPL to read through a list of jobnames from a different query and use it as subsearch Splunk specifically disclaims any liability and any actions resulting from your use of any information provided on Splunk Lantern.I have a SPL query that runs on an index, sourcetype which has milions of jobnames. The user- and community-generated information, content, data, text, graphics, images, videos, documents and other materials made available on Splunk Lantern is Community Content as provided in the terms and conditions of the Splunk Website Terms of Use, and it should not be implied that Splunk warrants, recommends, endorses or approves of any of the Community Content, nor is Splunk responsible for the availability or accuracy of such. That’s why 97% of clients are repeat customers. And with hundreds of deployments under our belt, we can guarantee on-time and on-budget project delivery. Our battle-tested processes and methodology help companies with legacy systems get to the cloud faster, so they can be agile, reduce costs, and improve operational efficiencies. ![]() We guide clients’ decisions, quickly implement the right technologies with the right people, and keep them running for sustainable growth. ![]() Want to learn more about combining data sources in Splunk? Contact us today! TekStream accelerates clients’ digital transformation by navigating complex technology environments with a combination of technical expertise and staffing solutions. Requires at least two searches that will be “unioned”ĭoes not allow use of operators within the base searchesĪllows both streaming and non-streaming operatorsĭoes only a single search for events that match specified criteriaĪppends results of the “subsearch” to the results of the primary searchīehaves like multisearch with streaming searches and like append with non-streaming Requires a primary search and a secondary one Subject to a maximum of 50,000 result rows by defaultĭefault of 50,000 result rows with non-streaming searches. No limit to the number of rows that can be produced Results are interleaved based on the time field Results are added to the bottom of the table Choose the most efficient method based on the command types needed The table below shows a comparison of the four methods: ORĬan be either the first command or used in between searches. Comparing OR, Append, Multisearch, and Union ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |