https://community.splunk.com/t5/Splunk-Search/How-to-do-RIGHT-OUTER-JOIN-with-Lookup-table/m-p/507726#M141931 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/171870">@pm771</a>,</P><P>One of the approaches is</P><P>Assuming you have a lookup "ID" with set of "ids"</P><LI-CODE lang="markup">|inputlookup ID|eval count=0, source="lookup" |append [search index="your index" | stats count by ids|eval source="events" ] |stats sum(count) as count,values(source) as source by ids</LI-CODE><P>Source is added to distinguish between the sources , you may remove it</P><P>If the result looks good, we shall further filter it by using the source</P> Tue, 07 Jul 2020 02:32:55 GMT renjith_nair 2020-07-07T02:32:55Z https://community.splunk.com/t5/Splunk-Search/How-to-do-RIGHT-OUTER-JOIN-with-Lookup-table/m-p/507722#M141927 <P>Events stream has ID field in every record.&nbsp;&nbsp;<BR /><BR />There is a lookup table with a small subset of IDs.<BR /><BR />The task is to calculate the total number of occurrences for each ID from the lookup table for every 15 min.<BR /><BR />It is possible that certain IDs from the table will not be found.&nbsp; In such cases they should still be included in the result with the count of zero.<BR /><BR />SQL version:<BR /><BR />SELECT ID, COUNT(ID)&nbsp;&nbsp;<BR />FROM Events e<BR />RIGHT JOIN Lookup l ON l.ID=e.ID<BR />GROUP BY I.ID&nbsp;<BR /><BR />What would be a good Splunk way to achieve the same?</P> Tue, 07 Jul 2020 01:14:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-RIGHT-OUTER-JOIN-with-Lookup-table/m-p/507722#M141927 pm771 2020-07-07T01:14:39Z https://community.splunk.com/t5/Splunk-Search/How-to-do-RIGHT-OUTER-JOIN-with-Lookup-table/m-p/507726#M141931 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/171870">@pm771</a>,</P><P>One of the approaches is</P><P>Assuming you have a lookup "ID" with set of "ids"</P><LI-CODE lang="markup">|inputlookup ID|eval count=0, source="lookup" |append [search index="your index" | stats count by ids|eval source="events" ] |stats sum(count) as count,values(source) as source by ids</LI-CODE><P>Source is added to distinguish between the sources , you may remove it</P><P>If the result looks good, we shall further filter it by using the source</P> Tue, 07 Jul 2020 02:32:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-RIGHT-OUTER-JOIN-with-Lookup-table/m-p/507726#M141931 renjith_nair 2020-07-07T02:32:55Z https://community.splunk.com/t5/Splunk-Search/How-to-do-RIGHT-OUTER-JOIN-with-Lookup-table/m-p/507838#M141959 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/136781">@renjith_nair</a>&nbsp;,</P><P>Thank you very much for your reply.<BR /><BR />I was considering&nbsp; an`append` approach but did not come with `count()` and `sum()` combination.</P> Tue, 07 Jul 2020 13:24:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-RIGHT-OUTER-JOIN-with-Lookup-table/m-p/507838#M141959 pm771 2020-07-07T13:24:37Z