https://community.splunk.com/t5/Getting-Data-In/Right-join-in-Splunk/m-p/76262#M15560 <P>That did not really entirely help.</P> <P>Here is a new query for review:</P> <P>sourcetype="alphalog" | dedup ModuleNum | eval MNumber=ModuleNum| join MNumber[ search sourcetype="betalog" fields MName ]</P> Thu, 03 Jan 2013 01:03:57 GMT asarolkar 2013-01-03T01:03:57Z https://community.splunk.com/t5/Getting-Data-In/Right-join-in-Splunk/m-p/76260#M15558 <P>I have two sourcetypes that have a field that does not have the same name in both places (but has the same values)</P> <PRE><CODE>i) sourcetype="alphalog" ModuleNum=* | dedup ModuleNum ii) sourcetype="betalog" MNumber=* | table MNumber </CODE></PRE> <P>Please note that sourcetype="betalog" has another field called MName.</P> <P><BR /><BR /> <BR /><BR /> I need to write a Splunk query that basically does this -&gt;</P> <P><STRONG>Select betalog.MName from both sourcetypes where alphalog.ModuleNum = betalog.MNumber</STRONG></P> <P>Is there a query that does a join like this in Splunk ?</P> <P>Any help would be appreciated</P> Wed, 02 Jan 2013 23:43:04 GMT https://community.splunk.com/t5/Getting-Data-In/Right-join-in-Splunk/m-p/76260#M15558 asarolkar 2013-01-02T23:43:04Z https://community.splunk.com/t5/Getting-Data-In/Right-join-in-Splunk/m-p/76261#M15559 <P>sourcetype=alphalog | JOIN type=inner ModuleNum [ search sourcetype=betalog]<BR /><BR /> OR this search...<BR /><BR /> sourcetype=alphalog [ search sourcetype=betalog MNumber=* | FIELDS MNumber ]</P> <P>I think at least one of the two examples above should work if Im following. Check out: <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join</A><BR /><BR /> You might find this link useful as well:<BR /><BR /> <A href="http://www.innovato.com/splunk/SQLSplunk.html">http://www.innovato.com/splunk/SQLSplunk.html</A> </P> Thu, 03 Jan 2013 00:40:08 GMT https://community.splunk.com/t5/Getting-Data-In/Right-join-in-Splunk/m-p/76261#M15559 rroberts 2013-01-03T00:40:08Z https://community.splunk.com/t5/Getting-Data-In/Right-join-in-Splunk/m-p/76262#M15560 <P>That did not really entirely help.</P> <P>Here is a new query for review:</P> <P>sourcetype="alphalog" | dedup ModuleNum | eval MNumber=ModuleNum| join MNumber[ search sourcetype="betalog" fields MName ]</P> Thu, 03 Jan 2013 01:03:57 GMT https://community.splunk.com/t5/Getting-Data-In/Right-join-in-Splunk/m-p/76262#M15560 asarolkar 2013-01-03T01:03:57Z https://community.splunk.com/t5/Getting-Data-In/Right-join-in-Splunk/m-p/76263#M15561 <P>Are you sure that you need to <CODE>join</CODE>? That's a pretty expensive operation, performance wise.<BR /> From your original question, you want to get the betalog.MName from betalog, where the values for ModuleNum/MNumber are the same. What more do you need from alphalog? Nothing? Just a listing of beta.MNames by alpha.ModuleNum?</P> <P>It's always good practice to give a few sample events and describe the output you desire.</P> <PRE><CODE>sourcetype=betalog [search sourcetype=alphalog ModuleNum=* | dedup ModuleNum | rename ModuleNum as MNumber | fields + MNumber] | stats values(MName) by MNumber </CODE></PRE> <P>This could work...but it depends on what you actually want. The subsearch (within the square brackets) returns a 'list' of unique ModuleNums (renamed as MNumbers) to the outer search. Then it's just a question of how you want to use that.</P> <P>Kristian</P> Thu, 03 Jan 2013 13:46:39 GMT https://community.splunk.com/t5/Getting-Data-In/Right-join-in-Splunk/m-p/76263#M15561 kristian_kolb 2013-01-03T13:46:39Z https://community.splunk.com/t5/Getting-Data-In/Right-join-in-Splunk/m-p/76264#M15562 <P>Very helpful. Thanks !</P> Thu, 03 Jan 2013 17:44:34 GMT https://community.splunk.com/t5/Getting-Data-In/Right-join-in-Splunk/m-p/76264#M15562 asarolkar 2013-01-03T17:44:34Z