https://community.splunk.com/t5/Splunk-Search/Replacing-join-command-to-integrate-data-from-two-different/m-p/437060#M124494 <P>Show us the search. How can we help otherwise?</P> Thu, 02 May 2019 16:59:08 GMT woodcock 2019-05-02T16:59:08Z https://community.splunk.com/t5/Splunk-Search/Replacing-join-command-to-integrate-data-from-two-different/m-p/437056#M124490 <P>Hello people,</P> <P>I am new in Splunk. So far I have been using join commands to integrate data from two different sources in a common field. The problem with this is that the searches take too long. apparently through lookups this should work faster. Would anybody be so kind to explain me exactly how I should do this ? it would be a massive thankyou from me. </P> <P>Cheers </P> Thu, 02 May 2019 10:14:47 GMT https://community.splunk.com/t5/Splunk-Search/Replacing-join-command-to-integrate-data-from-two-different/m-p/437056#M124490 ej56ygur 2019-05-02T10:14:47Z https://community.splunk.com/t5/Splunk-Search/Replacing-join-command-to-integrate-data-from-two-different/m-p/437057#M124491 <P>If you have a common field in 2 different sources you may be able to crate an Alias for the fields.<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Addaliasestofields">https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Addaliasestofields</A></P> Thu, 02 May 2019 13:04:09 GMT https://community.splunk.com/t5/Splunk-Search/Replacing-join-command-to-integrate-data-from-two-different/m-p/437057#M124491 jodyfsu 2019-05-02T13:04:09Z https://community.splunk.com/t5/Splunk-Search/Replacing-join-command-to-integrate-data-from-two-different/m-p/437058#M124492 <P>Can you provide some examples of the different queries that you need to join? Instead of doing things with join or lookups, you could use stats command on the field you were using to join. Lookups are fast, but require maintenance and can take up large amounts of disk space on your search head if you have an extremely large data set you are working with. Here's an extremely high level concept of using stats to combine data from different sources:</P> <PRE><CODE>(search string 1) OR (string string 2) | eval joiner=if(criteria unique to search string 1, field from search string 1 that you join on, field from search string 2 that you join on) | stats values("Field from Search string 1") as "Field from Search string 1" values("Field from Search string 2") as "Field from Search string 2" by joiner </CODE></PRE> Thu, 02 May 2019 13:12:07 GMT https://community.splunk.com/t5/Splunk-Search/Replacing-join-command-to-integrate-data-from-two-different/m-p/437058#M124492 dmarling 2019-05-02T13:12:07Z https://community.splunk.com/t5/Splunk-Search/Replacing-join-command-to-integrate-data-from-two-different/m-p/437059#M124493 <P>First of all thank you so much for your answer Dustin. Tomorrow I will have the access to the code and will post it. than you so much </P> Thu, 02 May 2019 13:15:35 GMT https://community.splunk.com/t5/Splunk-Search/Replacing-join-command-to-integrate-data-from-two-different/m-p/437059#M124493 ej56ygur 2019-05-02T13:15:35Z https://community.splunk.com/t5/Splunk-Search/Replacing-join-command-to-integrate-data-from-two-different/m-p/437060#M124494 <P>Show us the search. How can we help otherwise?</P> Thu, 02 May 2019 16:59:08 GMT https://community.splunk.com/t5/Splunk-Search/Replacing-join-command-to-integrate-data-from-two-different/m-p/437060#M124494 woodcock 2019-05-02T16:59:08Z