https://community.splunk.com/t5/Splunk-Search/Foreign-key/m-p/367331#M108359 <P>Hi yurykiselev,<BR /> there are many choices: join, transaction o stats:<BR /> join</P> <PRE><CODE>index=examination | rename user_id AS id_name | join id_name type=left [ search index=patients | fields id_name gender date_of_birth ] | table _time user_id gender date_of_birth exam_type </CODE></PRE> <P>transaction </P> <PRE><CODE>index=examination OR index=patients | rename user_id AS id_name | transaction id_name | table _time user_id gender date_of_birth exam_type </CODE></PRE> <P>stats</P> <PRE><CODE>index=examination OR index=patients | rename user_id AS id_name | stats values(gender) AS gender values(date_of_birth) As date_of_birth values(exam_type) AS exam_type by user_id </CODE></PRE> <P>Stats is the quickest.</P> <P>Bye.<BR /> Giuseppe</P> Wed, 21 Jun 2017 09:55:59 GMT gcusello 2017-06-21T09:55:59Z https://community.splunk.com/t5/Splunk-Search/Foreign-key/m-p/367330#M108358 <P>Hi!<BR /> I have two indexes: patients and examination</P> <P>patients: <EM>| id name | gender | date_of_birth |</EM><BR /> examination: <EM>| user_id | exam_type |</EM></P> <P>How could I get a table of all examinations for males?<BR /> Thank you!</P> Tue, 29 Sep 2020 14:37:21 GMT https://community.splunk.com/t5/Splunk-Search/Foreign-key/m-p/367330#M108358 yurykiselev 2020-09-29T14:37:21Z https://community.splunk.com/t5/Splunk-Search/Foreign-key/m-p/367331#M108359 <P>Hi yurykiselev,<BR /> there are many choices: join, transaction o stats:<BR /> join</P> <PRE><CODE>index=examination | rename user_id AS id_name | join id_name type=left [ search index=patients | fields id_name gender date_of_birth ] | table _time user_id gender date_of_birth exam_type </CODE></PRE> <P>transaction </P> <PRE><CODE>index=examination OR index=patients | rename user_id AS id_name | transaction id_name | table _time user_id gender date_of_birth exam_type </CODE></PRE> <P>stats</P> <PRE><CODE>index=examination OR index=patients | rename user_id AS id_name | stats values(gender) AS gender values(date_of_birth) As date_of_birth values(exam_type) AS exam_type by user_id </CODE></PRE> <P>Stats is the quickest.</P> <P>Bye.<BR /> Giuseppe</P> Wed, 21 Jun 2017 09:55:59 GMT https://community.splunk.com/t5/Splunk-Search/Foreign-key/m-p/367331#M108359 gcusello 2017-06-21T09:55:59Z https://community.splunk.com/t5/Splunk-Search/Foreign-key/m-p/367332#M108360 <P>Is id_name the foreign key? i.e. can we correlate id_name and user_id?</P> <P>If so you can create a field alias in one of the indexes to be the same as that in the other which is similar to, </P> <PRE><CODE>| rename id_name as user_id </CODE></PRE> <P>PS: Once you create Field Alias you will not need rename command.</P> <PRE><CODE>(index=patient AND id_name=* gender="male") OR (index=examination AND user_id=*) | rename id_name as user_id | stats values(examination) as examinations by user_id </CODE></PRE> Tue, 29 Sep 2020 14:33:04 GMT https://community.splunk.com/t5/Splunk-Search/Foreign-key/m-p/367332#M108360 niketn 2020-09-29T14:33:04Z https://community.splunk.com/t5/Splunk-Search/Foreign-key/m-p/367333#M108361 <P>Thank you all!</P> Wed, 21 Jun 2017 19:26:43 GMT https://community.splunk.com/t5/Splunk-Search/Foreign-key/m-p/367333#M108361 yurykiselev 2017-06-21T19:26:43Z