Search: Join / Multisearch: Unterschied zwischen den Versionen
Aus Wiki-WebPerfect
Admin (Diskussion | Beiträge) K (Admin verschob die Seite Search: Join nach Search: Join / Multisearch, ohne dabei eine Weiterleitung anzulegen) |
Admin (Diskussion | Beiträge) |
||
| Zeile 1: | Zeile 1: | ||
| − | = | + | = Example = |
In the index "index1" the fields "field1_index2" and "field2_index2" is missing, but in the index "index2" there it is.<br> | In the index "index1" the fields "field1_index2" and "field2_index2" is missing, but in the index "index2" there it is.<br> | ||
| − | "Field1" from "index1" hast the same value as "field1_index2" from "index2" <br> | + | "Field1" from "index1" hast the same value as "field1_index2" from "index2" (-> this is the field for merging the data) <br> |
'''Goal:''' Adding "field2_index2" from "index2" to the main-search of "index1" | '''Goal:''' Adding "field2_index2" from "index2" to the main-search of "index1" | ||
| − | |||
Fields of Index1: | Fields of Index1: | ||
| Zeile 16: | Zeile 15: | ||
| + | |||
| + | == Multisearch == | ||
| + | ''With multisearches you can combine data from multiple indexes, really similar to Splunk Joins but faster.'' | ||
| + | |||
| + | <pre> | ||
| + | | multisearch | ||
| + | [search index="Index1" <some_filters_if_needed> earliest=-24h latest=now ...] | ||
| + | [search index="Index2" <some_filters_if_needed> earliest=-24h latest=now ... | rename field1_index2 AS field1] | ||
| + | | stats | ||
| + | latest(field1) as field1 | ||
| + | latest(field2) as field2 | ||
| + | latest(field3) as field3 | ||
| + | by field1 | ||
| + | | fields | ||
| + | name, vmid, ciNumber, owner.emailAddress | ||
| + | </pre> | ||
| + | |||
| + | |||
| + | |||
| + | == Join - Add fields from another index to my search == | ||
'''Splunk-Search''' | '''Splunk-Search''' | ||
index=index1 | index=index1 | ||
Version vom 7. Januar 2021, 13:32 Uhr
Example
In the index "index1" the fields "field1_index2" and "field2_index2" is missing, but in the index "index2" there it is.
"Field1" from "index1" hast the same value as "field1_index2" from "index2" (-> this is the field for merging the data)
Goal: Adding "field2_index2" from "index2" to the main-search of "index1"
Fields of Index1:
- field1
- field2
- field3
Fields of Index2:
- field1_index2
- field2_index2
Multisearch
With multisearches you can combine data from multiple indexes, really similar to Splunk Joins but faster.
| multisearch
[search index="Index1" <some_filters_if_needed> earliest=-24h latest=now ...]
[search index="Index2" <some_filters_if_needed> earliest=-24h latest=now ... | rename field1_index2 AS field1]
| stats
latest(field1) as field1
latest(field2) as field2
latest(field3) as field3
by field1
| fields
name, vmid, ciNumber, owner.emailAddress
Join - Add fields from another index to my search
Splunk-Search
index=index1 | sort field1 DESC | join type=left field1 [search index=index2 ealiest=-1d | rename field1_index2 AS field1 | fields field1, field2_index2] | table field1, field2, field3, field2_index2
