cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Splunk_User2806
Explorer
Member since: ‎11-25-2022
‎04-17-2023
Community Statistics
Posts 5
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎11-25-2022
Activity Feed
View All

Re: Custom Time Picker Classic vs Dashboard Studio

by in Dashboards & Visualizations
‎04-17-2023 06:07 AM
‎04-17-2023 06:07 AM
Hey, i have the same task to handle 🙂 Did you find a Solution? ... View more

Re: Join 3 sources without join

by in Splunk Search
‎11-28-2022 06:37 AM
‎11-28-2022 06:37 AM
Hey! seems to work. The key was the  sourcetype IN ("MP"...) and the extraction with eval case... But my Problem now is i want to see all Production Numbers PRODNR wich passed the Step 6 today so earliest @d+6h is right... but the cause could be up to 2-3 days back! The NAS or NAU.  How can i extract the MP PORDNR from today but search for all Causes in NAS and NAU wich are linkt to that PRODNR even if they are some days back? Thank youo very much guys! 😁   ... View more

Re: Join 3 sources without join

by in Splunk Search
‎11-25-2022 06:38 AM
‎11-25-2022 06:38 AM
hey thank you! yes here they are. It has to look like this. I Need all Source datas one next to the other and liks the NAU and NAS data by the SNSM as you see. at the end i want to show the 6.0 for every PRODNR in the data. and i need the empty fields, so i know if the issue is closed and if it is before or after the 6.0 point   ... View more

Re: Join 3 sources without join

by in Splunk Search
‎11-25-2022 06:24 AM
‎11-25-2022 06:24 AM
Hey thank you! Yes i know this post. I try it like for a week. I searched every Topic here. MY Problem is that i need the coloumn SNSM to be shorn in my results for the source=NAS and for the source=NAU. like rename them to SNSM_NAS ans SNSM_NAU... so i can compare if they are the same or if the SNSM_NAU is missing. Nothing worked for me till now. I need a easy join left for all thre sources and compare the SNSM numbers. Without the issue of missing Data ... View more

How to join three sources without join?

by in Splunk Search
‎11-25-2022 05:45 AM
‎11-25-2022 05:45 AM
Hi everyone,   I want to join 3 sources from the same inidex. The Problem is, that with join i lose Date because im over 50.000 results in the subsearch. So i try to get my table over the "normal" search.   Logic is like the picture: The source "NAS" is a reported fault on a specific Production-number (PRODNR). it includes the Productionnumber, the timestamp of the detection and a clear ID (SNSM - for every fault) with the Partcode of the fault part.  The "NAU" is the data of the processed/closed defect. Problem here is as you can see that the columns in the sources have the same names.    The MP is the number of the process Step. so every source contains the PRODNR.  The NAS and NAU contain the SNSM IDs.  So i want to join the NAU ans NAS by the "SNSM" IDs and see if they alsready passed the Progress step 6 and if a fault was proccessed before the step 6 or if it was open the time the Production Number passed the Step 6.  my search that works is as shown. But its limited to the 50.000 results.  i try to to make it with index=pfps-k sourcetype=NAS OR sourcetype=NAU OR sourcetype=MP.  I get all the data but i cant do the same like the join so compare the SNSM IDs and then the Productionstep index=pfps-k sourcetype=NAS ( PRODNR="1*" OR PRODNR="2*" ) |where 'SPERRE' like ("PZM51%") |dedup PRODNR,PRUEFUNG |join type=left max=0 left=NAS right=NAU where NAS.SNSM=NAU.SNSM [search index=pfps-k sourcetype=NAU ( PRODNR="1*" OR PRODNR="2*" ) |dedup SNSM] |join type=left max=0 left=L right=MP where L.NAS.PRODNR=MP.PRODNR [search index=pfps-k sourcetype="MP" earliest=@d+6h |where MELDEPUNKT=6.0 |where like(PRODNR,"1%") OR like(PRODNR,"2%")] ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-17-2023 10:49 AM
Karma given to
View All