If you do a left join on C, then you exclude records from A and B that are not inside C. So the goal is to return all instances of all machines regardless of the source. 1) dont use join at all, but use append and. There are other statistical functions that could be used like list, but without knowing the makeup of your source data it's hard to make recommendations. To explain further this is a query to discover machines in 3 separate sources. The join commands outer join is actually a left outer join technically. This example builds a search incrementally. You can follow along with this example on your own Splunk instance.
The results of a left (or outer) join includes all of the events in the main. The following example shows how the selfjoin command works against a simple set of results. Splunk Enterprise servers in a distributed environment. I found some questions that try to resolve the issue with the search command but in my case it does not work. Join the results with itself on the 'id' field. typeouter in the command join means LEFT JOIN in the reality.
#Splunk join outer full#
It seems like ChannelId correlates loosely to source, but that could also be a problem of sample size. In SQL this is called FULL OUTER JOIN but i cannot find a way to replicate it since the parameter. In the original events, what is the relationship between EventId and Name and ChannelId? Are they all part of a single event or are they separate events? The problem with stats values(field) is that order is not preserved, just uniqueness of values, so there is not necessarily a correlation between the first EventId and the first Name.
0 kommentar(er)
