https://community.splunk.com/t5/Splunk-Search/how-to-avoid-join/m-p/512308#M143686 <P>Hi,&nbsp;</P><P>I have scenario where index and sourcetype are same and i am tryng below conditions.</P><P>chart dc(run) OVER app by event---- this will give me dc of run for each app for each event</P><P>stats dc(run) as run by app-- this will give me dc of run by app........</P><P>i used join to get this done ike below, but this is taking lot time to run query,</P><P>base search...<BR />|chart dc(run) OVER app by event<BR />| join app<BR />&nbsp; &nbsp; &nbsp; &nbsp; [search source =mysource | stats dc(run) as run by app ]&nbsp;<BR />|eval new_val = run - event1- event2&nbsp;<BR />| fields app event1 event2 new_val new run</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 04 Aug 2020 08:57:51 GMT vikashperiwal 2020-08-04T08:57:51Z https://community.splunk.com/t5/Splunk-Search/how-to-avoid-join/m-p/512308#M143686 <P>Hi,&nbsp;</P><P>I have scenario where index and sourcetype are same and i am tryng below conditions.</P><P>chart dc(run) OVER app by event---- this will give me dc of run for each app for each event</P><P>stats dc(run) as run by app-- this will give me dc of run by app........</P><P>i used join to get this done ike below, but this is taking lot time to run query,</P><P>base search...<BR />|chart dc(run) OVER app by event<BR />| join app<BR />&nbsp; &nbsp; &nbsp; &nbsp; [search source =mysource | stats dc(run) as run by app ]&nbsp;<BR />|eval new_val = run - event1- event2&nbsp;<BR />| fields app event1 event2 new_val new run</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 04 Aug 2020 08:57:51 GMT https://community.splunk.com/t5/Splunk-Search/how-to-avoid-join/m-p/512308#M143686 vikashperiwal 2020-08-04T08:57:51Z https://community.splunk.com/t5/Splunk-Search/how-to-avoid-join/m-p/512309#M143687 <P>You can use append command to avoid join.</P><P>like the way you did join based on field app.</P><P>you can achieve same from append command.</P><P>example search is as below:</P><P>| search1 | stats count as count1 by app run</P><P>| append [search2 | stats count by app run1]<BR />| stats values(*) as * by app</P><P>| do what ever you want</P> Tue, 04 Aug 2020 09:06:20 GMT https://community.splunk.com/t5/Splunk-Search/how-to-avoid-join/m-p/512309#M143687 thambisetty 2020-08-04T09:06:20Z https://community.splunk.com/t5/Splunk-Search/how-to-avoid-join/m-p/512318#M143691 <P>The below sol would not filter by event and 2 nd app/join both are taking lot of time to run, do we see any alternative of this,&nbsp;</P> Tue, 04 Aug 2020 09:27:23 GMT https://community.splunk.com/t5/Splunk-Search/how-to-avoid-join/m-p/512318#M143691 vikashperiwal 2020-08-04T09:27:23Z https://community.splunk.com/t5/Splunk-Search/how-to-avoid-join/m-p/512323#M143692 <P>do not append all your raw events. you should append processed results from second search. this way you can improve the performance of search.</P> Tue, 04 Aug 2020 09:47:18 GMT https://community.splunk.com/t5/Splunk-Search/how-to-avoid-join/m-p/512323#M143692 thambisetty 2020-08-04T09:47:18Z