https://community.splunk.com/t5/Splunk-Search/Can-Splunk-join-on-multiple-columns/m-p/63425#M15668 <P>How can you search Splunk to return a join on 2 columns</P> <PRE><CODE>sourcetype=test1 [search=test2 |fields col1, col2]|fields col1, col2, col3 </CODE></PRE> <P>Basically, I want something like</P> <PRE><CODE>SELECT * from test1 join test2 on test1.col1 =test2.col1 and test1.col2 = test2.col2 </CODE></PRE> Sat, 19 Mar 2011 05:23:13 GMT suhprano 2011-03-19T05:23:13Z https://community.splunk.com/t5/Splunk-Search/Can-Splunk-join-on-multiple-columns/m-p/63425#M15668 <P>How can you search Splunk to return a join on 2 columns</P> <PRE><CODE>sourcetype=test1 [search=test2 |fields col1, col2]|fields col1, col2, col3 </CODE></PRE> <P>Basically, I want something like</P> <PRE><CODE>SELECT * from test1 join test2 on test1.col1 =test2.col1 and test1.col2 = test2.col2 </CODE></PRE> Sat, 19 Mar 2011 05:23:13 GMT https://community.splunk.com/t5/Splunk-Search/Can-Splunk-join-on-multiple-columns/m-p/63425#M15668 suhprano 2011-03-19T05:23:13Z https://community.splunk.com/t5/Splunk-Search/Can-Splunk-join-on-multiple-columns/m-p/63426#M15669 <P>You should be able to do this by specify multiple fields in Splunk's join command:</P> <P>sourcetype=test1 | fields col1,col2 | join col1,col2 [search sourcetype=test2 | fields col1,col2,col3]</P> Sat, 19 Mar 2011 05:57:44 GMT https://community.splunk.com/t5/Splunk-Search/Can-Splunk-join-on-multiple-columns/m-p/63426#M15669 hazekamp 2011-03-19T05:57:44Z https://community.splunk.com/t5/Splunk-Search/Can-Splunk-join-on-multiple-columns/m-p/63427#M15670 <P>thanks! do you know if there's a limit to how many subsearches or joins splunk restricts?</P> Sat, 19 Mar 2011 06:22:27 GMT https://community.splunk.com/t5/Splunk-Search/Can-Splunk-join-on-multiple-columns/m-p/63427#M15670 suhprano 2011-03-19T06:22:27Z https://community.splunk.com/t5/Splunk-Search/Can-Splunk-join-on-multiple-columns/m-p/63428#M15671 <P>It's unnecessary (and undesirable mostly) to use <CODE>join</CODE> if you can just use: `sourcetype=test1 [search=test2 | dedup col1 col2 | fields col1 col2]</P> <P>This is basically your original search, but it should work just fine unless you've got more than a few thousand distinct <CODE>col1,col2</CODE> value pairs.</P> Mon, 21 Mar 2011 00:13:40 GMT https://community.splunk.com/t5/Splunk-Search/Can-Splunk-join-on-multiple-columns/m-p/63428#M15671 gkanapathy 2011-03-21T00:13:40Z https://community.splunk.com/t5/Splunk-Search/Can-Splunk-join-on-multiple-columns/m-p/63429#M15672 <P>How to achieve the same result, but when fields names are different? I have the problem to rebuild transactions from postfix/amavis logs, where the message is processed by a pipeline of different steps/processes and at a certain point, a new processing requests is queued in the pipeline. I have in an event the original "queue_id" and a new "queued_as" id, that in a next event will appear as a new "queue_id".</P> <P>So I need to correlate events with a "queue_id" with events that have the same "queued_as" value.</P> <P>Ideas?!?</P> Mon, 28 Sep 2020 11:35:43 GMT https://community.splunk.com/t5/Splunk-Search/Can-Splunk-join-on-multiple-columns/m-p/63429#M15672 marcoscala 2020-09-28T11:35:43Z https://community.splunk.com/t5/Splunk-Search/Can-Splunk-join-on-multiple-columns/m-p/63430#M15673 <P>Try asking this as a new question so others can easier find and make use of it. In your case have you tried using coalesce for queue_id and queued_as fields?</P> Mon, 28 Sep 2020 12:32:53 GMT https://community.splunk.com/t5/Splunk-Search/Can-Splunk-join-on-multiple-columns/m-p/63430#M15673 the_wolverine 2020-09-28T12:32:53Z https://community.splunk.com/t5/Splunk-Search/Can-Splunk-join-on-multiple-columns/m-p/63431#M15674 <P>Try rename<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Rename" target="_blank">https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Rename</A><BR /> | rename original_field as "new_name"</P> Wed, 30 Sep 2020 01:58:35 GMT https://community.splunk.com/t5/Splunk-Search/Can-Splunk-join-on-multiple-columns/m-p/63431#M15674 jslealdi 2020-09-30T01:58:35Z