Trying to Join 2 search results (where the common field has multivalues in one of the searches) to display in single table
**Splunk Query:**
index="XYXY" sourcetype="XXX_product_details_csv" | join PARTNUMBER [search index="XYXY" host="ABDC*" "Entire Price call" AND "PriceServiceImpl" FAIL
| rex field=parts mode=sed "s/\[/ /g"
| rex field=parts mode=sed "s/\]/ /g"
| rex field=parts mode=sed "s/\ / /g"
| makemv delim="," parts
| mvexpand parts
| top parts
| rename parts AS PARTNUMBER]
| table PARTNUMBER BUYABLE PUBLISHED DISCONTINUED count
| rename count as "Failed Cart Count"
***Above Query Doesn't work***
**If I hardcode a single part number into the query the join works -**
index="XYXY" sourcetype="XXX_product_details_csv" | join PARTNUMBER [search index="XYXY" host="ABDC*" "Entire Price call" AND "PriceServiceImpl" FAIL
| rex field=parts mode=sed "s/\[/ /g"
| rex field=parts mode=sed "s/\]/ /g"
| rex field=parts mode=sed "s/\ / /g"
| makemv delim="," parts
| mvexpand parts
| top parts
| rename parts AS PARTNUMBER
**| eval PARTNUMBER="128227" ]**
| table PARTNUMBER SHORTDESCRIPTION BUYABLE PUBLISHED DISCONTINUED count
| rename count as "Failed Cart Count"
![alt text][1]
Results from Successful query....
[1]: /storage/temp/274200-screen-shot-2019-07-24-at-114201-pm.png
Both searches work/ yield results independently of the join
↧