https://community.splunk.com/t5/Splunk-Search/Mismatch-with-values-in-Join/m-p/392572#M168874 <P>With <CODE>type=inner</CODE> in join command, you'd see matching records from both the sources (main search and subsearch), hence the result is limited to only the STYPE=08 OR STYPE=29. The joins are very expensive, and you should look for alternative implementation for it. </P> <P>If you have to use join, use <CODE>type=left</CODE> so that all rows from left (main search) will be returned, along with matched ones.</P> <P>Alternatively, you can use following:</P> <PRE><CODE>index=edi-2 OR index=edi | eval TRACKINGNUMBER=coalesce(TRACKINGNUMBER, TRCK) | stats count(TRACKINGNUMBER) values(index) as indexes BY STYPE </CODE></PRE> <P>This should give count by STYPE for records in both indexes. <BR /> To get records same as <CODE>| join type=inner</CODE>, add <CODE>| where mvcount(indexes)=2 | fields - indexes</CODE>.<BR /> To get records same as <CODE>| join type=left</CODE>, add <CODE>| where NOT mvcount(indexes)=1 AND indexes="edi" | fields - indexes</CODE>.</P> Thu, 14 Jun 2018 20:27:51 GMT somesoni2 2018-06-14T20:27:51Z https://community.splunk.com/t5/Splunk-Search/Mismatch-with-values-in-Join/m-p/392571#M168873 <P>When I run this query:<BR /> <CODE>index=edi-2 | join type=inner TRACKINGNUMBER [search index=edi | rename TRCK AS TRACKINGNUMBER] | stats count(TRACKINGNUMBER) BY STYPE</CODE></P> <P>I get these results:</P> <BLOCKQUOTE> <P>STYPE count(TRACKINGNUMBER) 01 2140<BR /> <STRONG>08 38</STRONG><BR /> 10 284<BR /> 13 1122<BR /> 22 539 <BR /> 25 349<BR /> <STRONG>29 4</STRONG><BR /> 32 236</P> </BLOCKQUOTE> <P>However, if I add this <CODE>where</CODE> clause:<BR /> <CODE>index=edi-2 | join type=inner TRACKINGNUMBER [search index=edi | rename TRCK AS TRACKINGNUMBER | where STYPE=08 OR STYPE=29] | stats count(TRACKINGNUMBER) BY STYPE</CODE></P> <P>I get this:</P> <BLOCKQUOTE> <P>STYPE count(TRACKINGNUMBER)<BR /> <STRONG>08 166<BR /> 29 4572</STRONG></P> </BLOCKQUOTE> <P>WTH?? How is that possible? Shouldn't <CODE>08</CODE> and <CODE>29</CODE> match up with the first set of results?? What am I missing with this?</P> <P>Thanks!</P> Thu, 14 Jun 2018 19:34:42 GMT https://community.splunk.com/t5/Splunk-Search/Mismatch-with-values-in-Join/m-p/392571#M168873 tlunruh 2018-06-14T19:34:42Z https://community.splunk.com/t5/Splunk-Search/Mismatch-with-values-in-Join/m-p/392572#M168874 <P>With <CODE>type=inner</CODE> in join command, you'd see matching records from both the sources (main search and subsearch), hence the result is limited to only the STYPE=08 OR STYPE=29. The joins are very expensive, and you should look for alternative implementation for it. </P> <P>If you have to use join, use <CODE>type=left</CODE> so that all rows from left (main search) will be returned, along with matched ones.</P> <P>Alternatively, you can use following:</P> <PRE><CODE>index=edi-2 OR index=edi | eval TRACKINGNUMBER=coalesce(TRACKINGNUMBER, TRCK) | stats count(TRACKINGNUMBER) values(index) as indexes BY STYPE </CODE></PRE> <P>This should give count by STYPE for records in both indexes. <BR /> To get records same as <CODE>| join type=inner</CODE>, add <CODE>| where mvcount(indexes)=2 | fields - indexes</CODE>.<BR /> To get records same as <CODE>| join type=left</CODE>, add <CODE>| where NOT mvcount(indexes)=1 AND indexes="edi" | fields - indexes</CODE>.</P> Thu, 14 Jun 2018 20:27:51 GMT https://community.splunk.com/t5/Splunk-Search/Mismatch-with-values-in-Join/m-p/392572#M168874 somesoni2 2018-06-14T20:27:51Z https://community.splunk.com/t5/Splunk-Search/Mismatch-with-values-in-Join/m-p/392573#M168875 <P>Thanks @somesoni2. I ran your new search and it gave me different data, but I am still not sure it is right. I am sure I am trying to use Splunk JOINs like SQL (which I am very familiar with) and not understanding the overhead/results. What I am really trying to get (for the first pass), is the <CODE>STYPE</CODE> from <CODE>index=edi</CODE> for each matching <CODE>TRACKINGNUMBER</CODE> in <CODE>index=edi-2</CODE>.</P> <P><CODE>index=edi</CODE> has TRCK and STYPE fields; <CODE>index=edi-2</CODE> has TRACKINGNUMBER and DATE fields. I want to JOIN (or use an alternative) the two indexex on TRACKINGNUMBER/TRCK and return the count of STYPE. Does that make sense?</P> Thu, 14 Jun 2018 21:29:13 GMT https://community.splunk.com/t5/Splunk-Search/Mismatch-with-values-in-Join/m-p/392573#M168875 tlunruh 2018-06-14T21:29:13Z https://community.splunk.com/t5/Splunk-Search/Mismatch-with-values-in-Join/m-p/704916#M238761 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/121532">@tlunruh</a>&nbsp;, it looks like your processing EDI data.&nbsp; We now have solution accelerator for EDI transactions, I would love to share what we have.&nbsp; Let me know if you're interested.</P> Thu, 21 Nov 2024 08:17:49 GMT https://community.splunk.com/t5/Splunk-Search/Mismatch-with-values-in-Join/m-p/704916#M238761 youngc_splunk 2024-11-21T08:17:49Z