https://community.splunk.com/t5/Splunk-Search/How-to-do-an-outer-join-on-two-tables-with-two-fields/m-p/483937#M135480 <P>did you try <CODE>| append</CODE> or <CODE>| appendcols</CODE> commands?</P> Tue, 28 Apr 2020 15:47:51 GMT adonio 2020-04-28T15:47:51Z https://community.splunk.com/t5/Splunk-Search/How-to-do-an-outer-join-on-two-tables-with-two-fields/m-p/483936#M135479 <P>Hi,<BR /> I'm wondering if it's possible to do an outer/left join two tables on two fields. I have two indexes with the following data:</P> <P><STRONG>Index1:</STRONG><BR /> col1 col2<BR /> 123 abc<BR /> 456 def</P> <P><STRONG>Index2:</STRONG><BR /> col1 col2 col3<BR /> 123 abc xyz</P> <P><STRONG>Desired results:</STRONG><BR /> col1 col2 col3<BR /> 123 abc xyz<BR /> 456 def</P> <P>Here's my search:</P> <PRE><CODE>index=index1 |join type=outer col1, col2 [search index=index2 |fields col1, col2, col3] |table col1, col2, col3 </CODE></PRE> <P>The results I get are inconsistent. It seems almost as if Splunk is going the outer join on the two columns independently, so I get more results than I need. If I remove the "type=outer", making it an inner join, I get the below results, so I know the join works for the inner:<BR /> <STRONG>col1 col2 col3<BR /> 123 abc xyz</STRONG></P> <P>Thanks,<BR /> AP</P> Tue, 28 Apr 2020 15:24:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-an-outer-join-on-two-tables-with-two-fields/m-p/483936#M135479 apiprek2 2020-04-28T15:24:41Z https://community.splunk.com/t5/Splunk-Search/How-to-do-an-outer-join-on-two-tables-with-two-fields/m-p/483937#M135480 <P>did you try <CODE>| append</CODE> or <CODE>| appendcols</CODE> commands?</P> Tue, 28 Apr 2020 15:47:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-an-outer-join-on-two-tables-with-two-fields/m-p/483937#M135480 adonio 2020-04-28T15:47:51Z https://community.splunk.com/t5/Splunk-Search/How-to-do-an-outer-join-on-two-tables-with-two-fields/m-p/483938#M135481 <P>From the fact that you're talking about outer joins, you are coming from an SQL background, so READ THIS FIRST: </P> <P><A href="https://answers.splunk.com/answers/561130/how-to-join-two-tables-where-the-key-is-named-diff.html">https://answers.splunk.com/answers/561130/how-to-join-two-tables-where-the-key-is-named-diff.html</A></P> <HR /> <P>The general answer is called "splunk soup" or "splunk stew". You throw all the records and fields you want together in the pot and then stir until they come apart the way you want.</P> <P>Here's generic pseudocode for that method...</P> <PRE><CODE> ((filters identifying events of type A) OR (filters identifying events of type B)) | fields ... the list of every field that you need from either type A or B... | eval joinfield = case(expression to detect type A, functions(to(transform(events, of, type, A))), expression to detect type B, functions(to(transform(events, of, type, A)))) | stats values(field1) as field1 values(... as fieldN by joinfield </CODE></PRE> <HR /> <P>Then you can also look at this one. If you still have any questions, then please feel free to ask via a comment here.</P> <P><A href="https://answers.splunk.com/answers/816615/how-to-search-for-a-value-in-multiple-fields.html">https://answers.splunk.com/answers/816615/how-to-search-for-a-value-in-multiple-fields.html</A></P> Tue, 28 Apr 2020 15:51:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-an-outer-join-on-two-tables-with-two-fields/m-p/483938#M135481 DalJeanis 2020-04-28T15:51:59Z