Skip to content

Join=left doesn't find Kvstore/Kvdump result when BACKUPKV is disabled #4

Description

@MAStephen

Hi,

I 'm not sure if its an issue because i don't know the impact of this modification below.

My environment : Cluster Manager in v9.3.X splunk

  • Kvstore exists and enabled
  • The variable 'BACKUPKV' is disabled (0)

Result in 'splunkconf-backup' when the backup occur :

Image

Backup KV local is missing.

I found your SPL search with a 'join=left' :

|makeresults | eval host="XXXX(HIDE)XXXX" | makemv delim="|" host| eval object=mvappend("etc","scripts","kvdump","kvstore","state"), type=mvappend("local","remote") | mvexpand host| mvexpand object | mvexpand type | join type=left host,type,object [search index=_internal source="splunkconf-backup.log" "splunkconf-backup" NOT "splunkconf-purgebackup" action=backup NOT result="running" | bin _time span=1d | stats count as nb,latest(_raw) , latest(result) as result , values(result) as list_result by type,host,object]

Image

The request doesn't find any log about kvdump or kvstore, but they exist in the '_internal' index.
However, when i change the join to 'inner' :

|makeresults | eval host="XXXX(HIDE)XXXX" | makemv delim="|" host| eval object=mvappend("etc","scripts","kvdump","kvstore","state"), type=mvappend("local","remote") | mvexpand host| mvexpand object | mvexpand type | join type=inner host,type,object [search index=_internal source="splunkconf-backup.log" "splunkconf-backup" NOT "splunkconf-purgebackup" action=backup NOT result="running" | bin _time span=1d | stats count as nb,latest(_raw) , latest(result) as result , values(result) as list_result by type,host,object]

I find the correct results.

Image

Can you tell me the impact if we modify this join ?

Best regards,
MAStephen

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions