https://community.splunk.com/t5/Splunk-Search/Join-not-working/m-p/490621#M136994 <PRE><CODE>index="event" | rex field=Macaddress mode=sed "s/(.{2})/\1-/g s/-$//" | rename Macaddress as "macAddress" | eval SessionTime_epoch = strptime(SessionTime, "%Y-%m-%dT%H:%M:%S.%3NZ") | eval SessionTime = strftime(SessionTime_epoch, "%Y-%m-%d %H:%M:%S") | join macAddress type=outer [inputlookup nctdata.csv] | rename cubicleNo as "work_station" | join work_station type=outer [inputlookup somaster.csv] |table Username,macAddress,Session,SessionTime,SystemName,cubliceNo,vlanNo, c_occupiedclient </CODE></PRE> <P>My query is something like this. But i am not getting the results correctly. I want the fields as I have mentioned above. I want Username,macAddress,Session,SessionTime,SystemName from "event" file and join macAddress in nctdata and get these columns in nctdata file: cubliceNo,vlanNo and join work_station in nctdata and somaster file and take these column in somaster:c_occupiedclient.</P> Wed, 30 Sep 2020 02:21:04 GMT kavyamohan 2020-09-30T02:21:04Z https://community.splunk.com/t5/Splunk-Search/Join-not-working/m-p/490621#M136994 <PRE><CODE>index="event" | rex field=Macaddress mode=sed "s/(.{2})/\1-/g s/-$//" | rename Macaddress as "macAddress" | eval SessionTime_epoch = strptime(SessionTime, "%Y-%m-%dT%H:%M:%S.%3NZ") | eval SessionTime = strftime(SessionTime_epoch, "%Y-%m-%d %H:%M:%S") | join macAddress type=outer [inputlookup nctdata.csv] | rename cubicleNo as "work_station" | join work_station type=outer [inputlookup somaster.csv] |table Username,macAddress,Session,SessionTime,SystemName,cubliceNo,vlanNo, c_occupiedclient </CODE></PRE> <P>My query is something like this. But i am not getting the results correctly. I want the fields as I have mentioned above. I want Username,macAddress,Session,SessionTime,SystemName from "event" file and join macAddress in nctdata and get these columns in nctdata file: cubliceNo,vlanNo and join work_station in nctdata and somaster file and take these column in somaster:c_occupiedclient.</P> Wed, 30 Sep 2020 02:21:04 GMT https://community.splunk.com/t5/Splunk-Search/Join-not-working/m-p/490621#M136994 kavyamohan 2020-09-30T02:21:04Z https://community.splunk.com/t5/Splunk-Search/Join-not-working/m-p/490622#M136995 <P>Hi kavyamohan,<BR /> the join command is a very slow solution and has the limit of 50,000 results because there's a subsearch.<BR /> In your case you want to do a join with a lookup, to do this you don't need of join and you can use the lookup command that's like a join.<BR /> Don't think to Splunk as a DB, it's different!</P> <P>Instead, try to use a different approach:</P> <PRE><CODE>index="event" | rex field=Macaddress mode=sed "s/(.{2})/\1-/g s/-$//" | rename Macaddress as "macAddress" | eval SessionTime_epoch = strptime(SessionTime, "%Y-%m-%dT%H:%M:%S.%3NZ"), SessionTime = strftime(SessionTime_epoch, "%Y-%m-%d %H:%M:%S") | lookup nctdata.csv macAddress OUTPUT cubicleNo | rename cubicleNo as "work_station" | lookup somaster.csv work_station OUTPUT cubliceNo vlanNo | table Username macAddress Session SessionTime SystemName cubliceNo vlanNo c_occupiedclient </CODE></PRE> <P>In addition, when you use the inputlookup command you have to always use the pipe char "|".</P> <P>Bye.<BR /> Giuseppe</P> Fri, 27 Sep 2019 12:31:58 GMT https://community.splunk.com/t5/Splunk-Search/Join-not-working/m-p/490622#M136995 gcusello 2019-09-27T12:31:58Z https://community.splunk.com/t5/Splunk-Search/Join-not-working/m-p/490623#M136996 <P>You can even simplify the <CODE>eval</CODE> further:</P> <PRE><CODE>| eval SessionTime = (strftime(strptime(SessionTime, "%Y-%m-%dT%H:%M:%S.%3NZ"), "%Y-%m-%d %H:%M:%S") </CODE></PRE> Fri, 27 Sep 2019 15:04:31 GMT https://community.splunk.com/t5/Splunk-Search/Join-not-working/m-p/490623#M136996 wmyersas 2019-09-27T15:04:31Z https://community.splunk.com/t5/Splunk-Search/Join-not-working/m-p/490624#M136997 <P>Thank you so much it worked:)</P> Fri, 04 Oct 2019 04:51:13 GMT https://community.splunk.com/t5/Splunk-Search/Join-not-working/m-p/490624#M136997 kavyamohan 2019-10-04T04:51:13Z