I set up a savedsearch to monitor the status from some critical reports (from a "critical_reports.csv" lookup) within a certain time range such as 7 days. I used outer join to find out if the reports did not run because they are disabled from the scheduler for instance. Here is the my query:
index=_internal sourcetype=scheduler "report 1" OR "report 2"
| stats count by savedsearch_name status result_count alert_actions
| join type=outer savedsearch_name [| inputlookup critical_reports.csv]
However, the Splunk outer join doesn't work as expected by returned no results if there are no results returned from the primary search. I tried to use append with first or values commands as suggested from this [link][1], but it only returns one record per report. Are there any alternate solutions in my case? Thanks.
[1]: https://answers.splunk.com/answers/81741/full-outer-join.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev
↧