https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415229#M119550 <P>This did not work. It seems like the where and dedup function both are not working</P> Thu, 11 Oct 2018 19:23:52 GMT djain 2018-10-11T19:23:52Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415223#M119544 <P>Hey Splunkers,</P> <P>Here is my original query where the sub search is getting truncated to 50000 records.</P> <PRE><CODE>index = abc sourcetype=abc_errors | rename device.headwaters.watermark.core.DeviceInfo.receiverId.string AS receiverId | fields receiverId | join receiverId[search index=abc sourcetype=abc_temp|fields receiverId billingId] | table receiverId billingId </CODE></PRE> <P>I am trying to write a <CODE>stats</CODE> command for it so that I don't have to use <CODE>join</CODE>. Here is what I thought might work but doesn't.</P> <PRE><CODE>index = abc (sourcetype=abc_errors OR sourcetype=abc_temp) | fields sourcetype receiverId billingId device.headwaters.watermark.core.DeviceInfo.receiverId.string | rename device.headwaters.watermark.core.DeviceInfo.receiverId.string AS receiverId | dedup receiverId sourcetype | stats count AS total by receiverId | where total&gt;1 | table receiverId </CODE></PRE> <P>Can someone tell me what I might be doing wrong? I know there is something funky about the <CODE>dedup</CODE>, but I can't think of anything else right now.</P> <P>Thanks,<BR /> Divyank</P> Thu, 11 Oct 2018 18:23:01 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415223#M119544 djain 2018-10-11T18:23:01Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415224#M119545 <P>Please try like below</P> <PRE><CODE>index=abc sourcetype=abc_temp [index = abc sourcetype=abc_errors | rename device.headwaters.watermark.core.DeviceInfo.receiverId.string AS receiverId | stats count by receiverId| fields receiverId] |fields receiverId billingId </CODE></PRE> Thu, 11 Oct 2018 18:29:57 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415224#M119545 koshyk 2018-10-11T18:29:57Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415225#M119546 <P>try this:</P> <PRE><CODE>index = abc (sourcetype=abc_errors OR sourcetype=abc_temp) | fields sourcetype receiverId billingId device.headwaters.watermark.core.DeviceInfo.receiverId.string | eval receiver_id = coalesce(receiverId, device.headwaters.watermark.core.DeviceInfo.receiverId.string) | stats count as total by reciver_id | where total&gt;1 | table receiver_id </CODE></PRE> <P>hope it helps</P> Thu, 11 Oct 2018 18:35:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415225#M119546 adonio 2018-10-11T18:35:56Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415226#M119547 <PRE><CODE>index=abc (sourcetype=abc_temp OR sourcetype=abc_errors)| fields sourcetype receiverId billingId device.headwaters.watermark.core.DeviceInfo.receiverId.string | rename device.headwaters.watermark.core.DeviceInfo.receiverId.string AS receiverId | dedup sourcetype receiverId|stats count(eval(sourcetype="abc_temp")) as temp, count(eval(sourcetype="abc_errors")) as errors by receiverId| where temp=errors </CODE></PRE> Thu, 11 Oct 2018 18:57:26 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415226#M119547 Vijeta 2018-10-11T18:57:26Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415227#M119548 <P>This did not work It wouldn't give any results. Also we are not comparing the receiverId from both sourcetype? So for example if one sourcetype has more than one value for that receiverId it would still show up in the results? We want only the common receiverId between the sourcetypes to show</P> Thu, 11 Oct 2018 19:22:05 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415227#M119548 djain 2018-10-11T19:22:05Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415228#M119549 <P>This approach is using a subsearch? That is the problem that we are facing, subsearch is limited to 50000 rows</P> Thu, 11 Oct 2018 19:22:53 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415228#M119549 djain 2018-10-11T19:22:53Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415229#M119550 <P>This did not work. It seems like the where and dedup function both are not working</P> Thu, 11 Oct 2018 19:23:52 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415229#M119550 djain 2018-10-11T19:23:52Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415230#M119551 <P>@DalJeanis I am sorry for the direct tag, but you answered one of these questions for me perfectly so wanted to se if you can help me again</P> Thu, 11 Oct 2018 19:26:13 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415230#M119551 djain 2018-10-11T19:26:13Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415231#M119552 <P>Try doing a sort on sourcetype receiverId before dedup. What is the output you are getting using above search, you can test it removing where clause and see the values of temp and errors for each receiverId</P> Thu, 11 Oct 2018 20:03:13 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415231#M119552 Vijeta 2018-10-11T20:03:13Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415232#M119553 <P>Please note, i'm doing a stats count by receiverId within second search. So you still expect the unique receiverId to be greater than 50k? </P> Fri, 12 Oct 2018 09:45:08 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415232#M119553 koshyk 2018-10-12T09:45:08Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415233#M119554 <P>Yeah it would be closer to a million.</P> Fri, 12 Oct 2018 12:36:54 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415233#M119554 djain 2018-10-12T12:36:54Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415234#M119555 <P>I figured out a way to do it, I took the coalesce idea from @adonio . Thank you for that. Here is the solution query:</P> <PRE><CODE>index = abc (sourcetype=abc_errors OR sourcetype=abc_temp) | fields sourcetype receiverId billingId device.headwaters.watermark.core.DeviceInfo.receiverId.string | rename device.headwaters.watermark.core.DeviceInfo.receiverId.string AS Receiver | eval receiver_id = coalesce(Receiver, receiverId ) | dedup receiver_id sourcetype | stats count(sourcetype) AS total BY receiver_id | where total&gt;1 | stats count(receiver_id) AS match </CODE></PRE> <P>Thank you everyone for your input</P> Fri, 12 Oct 2018 16:48:11 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-join-functionality-without-using-subsearch/m-p/415234#M119555 djain 2018-10-12T16:48:11Z