https://community.splunk.com/t5/Splunk-Search/How-to-replace-join-from-the-below-query/m-p/531828#M150228 <P>Did you see my reply to your other similar question&nbsp;<A href="https://community.splunk.com/t5/Splunk-Search/How-to-replace-join-command-with-any-other-alternative-command/m-p/531807#M150218" target="_blank">https://community.splunk.com/t5/Splunk-Search/How-to-replace-join-command-with-any-other-alternative-command/m-p/531807#M150218</A></P><P>The same principle would apply to this search also.</P><P>&nbsp;</P> Thu, 03 Dec 2020 07:57:05 GMT bowesmana 2020-12-03T07:57:05Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-join-from-the-below-query/m-p/531827#M150227 <P>index=105261-cli sourcetype=show_system_resources<BR />| dedup deviceId<BR />| eval nexus_percent_used=round(100*memory_used/memory_total)<BR />| eval nexus_status=if(nexus_percent_used&amp;gt;85, "Not OK", "OK")<BR />| fields deviceId, nexus_percent_used, nexus_status<BR />| append<BR />[ search index=105261-cli sourcetype=show_memory_statistics<BR />| dedup deviceId<BR />| eval ios_percent_used=round(100*used/total)<BR />| eval ios_status=if(ios_percent_used&amp;gt;85, "Not OK", "OK")<BR />| fields deviceId, ios_percent_used, ios_status ]<BR />| join deviceId<BR />[ search index=105261-np sourcetype=device_details<BR />| fields deviceId, productFamily, swVersion, deviceName ]<BR />| eval percent_used=if(like(productFamily, "%Nexus%"), nexus_percent_used, ios_percent_used)<BR />| eval status=if(like(productFamily, "%Nexus%"), nexus_status, ios_status)<BR />| table deviceName, productFamily, swVersion, percent_used, status<BR />| sort -percent_used</P> Thu, 03 Dec 2020 07:50:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-join-from-the-below-query/m-p/531827#M150227 pstalin_ 2020-12-03T07:50:37Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-join-from-the-below-query/m-p/531828#M150228 <P>Did you see my reply to your other similar question&nbsp;<A href="https://community.splunk.com/t5/Splunk-Search/How-to-replace-join-command-with-any-other-alternative-command/m-p/531807#M150218" target="_blank">https://community.splunk.com/t5/Splunk-Search/How-to-replace-join-command-with-any-other-alternative-command/m-p/531807#M150218</A></P><P>The same principle would apply to this search also.</P><P>&nbsp;</P> Thu, 03 Dec 2020 07:57:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-join-from-the-below-query/m-p/531828#M150228 bowesmana 2020-12-03T07:57:05Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-join-from-the-below-query/m-p/531847#M150233 <P>(index=148031-cli sourcetype=show_system_resources) OR (index=14031-cli sourcetype=show_memory_statistics) OR (index=148031-np sourcetype=device_details)<BR />|fields deviceId,memory_used,memory_total,used,total,productFamily, swVersion, deviceName<BR />| stats latest(*) as * by deviceId<BR />| eval nexus_percent_used=round(100*memory_used/memory_total)<BR />| eval nexus_status=if(nexus_percent_used &gt; 85, "Not OK", "OK")<BR />| eval ios_percent_used=round(100*used/total)<BR />| eval ios_status=if(ios_percent_used &gt; 85, "Not OK", "OK")<BR />| eval percent_used=if(like(productFamily, "%Nexus%"), nexus_percent_used, ios_percent_used)<BR />| eval status=if(like(productFamily, "%Nexus%"), nexus_status, ios_status)<BR />| table deviceName, productFamily, swVersion, percent_used, status<BR />| sort -percent_used</P> Thu, 03 Dec 2020 11:29:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-join-from-the-below-query/m-p/531847#M150233 pstalin_ 2020-12-03T11:29:11Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-join-from-the-below-query/m-p/532095#M150313 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;Hi I have tried the query as u said before but still I'm not getting the exact events count as I got when I used join. Could you please help me in solving this?</P><P><SPAN>(index=148031-cli sourcetype=show_system_resources) OR (index=14031-cli sourcetype=show_memory_statistics) OR (index=148031-np sourcetype=device_details)</SPAN><BR /><SPAN>|fields deviceId,memory_used,memory_total,used,total,productFamily, swVersion, deviceName</SPAN><BR /><SPAN>| stats latest(*) as * by deviceId</SPAN><BR /><SPAN>| eval nexus_percent_used=round(100*memory_used/memory_total)</SPAN><BR /><SPAN>| eval nexus_status=if(nexus_percent_used &gt; 85, "Not OK", "OK")</SPAN><BR /><SPAN>| eval ios_percent_used=round(100*used/total)</SPAN><BR /><SPAN>| eval ios_status=if(ios_percent_used &gt; 85, "Not OK", "OK")</SPAN><BR /><SPAN>| eval percent_used=if(like(productFamily, "%Nexus%"), nexus_percent_used, ios_percent_used)</SPAN><BR /><SPAN>| eval status=if(like(productFamily, "%Nexus%"), nexus_status, ios_status)</SPAN><BR /><SPAN>| table deviceName, productFamily, swVersion, percent_used, status</SPAN><BR /><SPAN>| sort -percent_used</SPAN></P><P>&nbsp;</P> Sat, 05 Dec 2020 05:08:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-join-from-the-below-query/m-p/532095#M150313 pstalin_ 2020-12-05T05:08:48Z https://community.splunk.com/t5/Splunk-Search/How-to-replace-join-from-the-below-query/m-p/532134#M150321 <P>You will need to give an example of the data and some outcomes of the searches otherwise it's hard to diagnose the query</P><P>&nbsp;</P> Sun, 06 Dec 2020 23:01:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-replace-join-from-the-below-query/m-p/532134#M150321 bowesmana 2020-12-06T23:01:39Z