https://community.splunk.com/t5/Splunk-Search/Join-between-2-source-type-with-a-lot-of-data/m-p/212930#M187914 <P>I everybody.</P> <P>I have a problem on splunk.</P> <P>I have a sourcetype with my orders and a sourcetype with my customers.</P> <P>I have a customer technical key in my customers table and in my orders table.</P> <P>It is possible to simulate left join ? I have a lot of customers (more than 10 millions...) ... so it is not possible to use the join command.</P> <P>Thanks in advance for your answers.</P> Wed, 04 Nov 2015 11:29:19 GMT jbechchar 2015-11-04T11:29:19Z https://community.splunk.com/t5/Splunk-Search/Join-between-2-source-type-with-a-lot-of-data/m-p/212930#M187914 <P>I everybody.</P> <P>I have a problem on splunk.</P> <P>I have a sourcetype with my orders and a sourcetype with my customers.</P> <P>I have a customer technical key in my customers table and in my orders table.</P> <P>It is possible to simulate left join ? I have a lot of customers (more than 10 millions...) ... so it is not possible to use the join command.</P> <P>Thanks in advance for your answers.</P> Wed, 04 Nov 2015 11:29:19 GMT https://community.splunk.com/t5/Splunk-Search/Join-between-2-source-type-with-a-lot-of-data/m-p/212930#M187914 jbechchar 2015-11-04T11:29:19Z https://community.splunk.com/t5/Splunk-Search/Join-between-2-source-type-with-a-lot-of-data/m-p/212931#M187915 <P>I would look at populating a lookup or kvstore with your customers and from that you can either do an automatic lookup, or use the data manually. Then you'll want to construct a search to regularly keep the lookup up-to-date. You could also potentially use the KVStore for this as well.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Usefieldlookupstoaddinformationtoyourevents">http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Usefieldlookupstoaddinformationtoyourevents</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Lookup">http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Lookup</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Outputlookup">http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Outputlookup</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.3.0/Knowledge/ConfigureKVstorelookups">http://docs.splunk.com/Documentation/Splunk/6.3.0/Knowledge/ConfigureKVstorelookups</A></P> <P><A href="https://answers.splunk.com/answers/86564/updating-lookup-table-data-externally-auto-magically.html">https://answers.splunk.com/answers/86564/updating-lookup-table-data-externally-auto-magically.html</A><BR /> <A href="https://answers.splunk.com/answers/236903/how-to-update-a-lookup-table-using-a-scheduled-sea.html">https://answers.splunk.com/answers/236903/how-to-update-a-lookup-table-using-a-scheduled-sea.html</A></P> Wed, 04 Nov 2015 19:37:52 GMT https://community.splunk.com/t5/Splunk-Search/Join-between-2-source-type-with-a-lot-of-data/m-p/212931#M187915 ltrand 2015-11-04T19:37:52Z https://community.splunk.com/t5/Splunk-Search/Join-between-2-source-type-with-a-lot-of-data/m-p/212932#M187916 <P>KV store is a good approach, but if you cannot do it there is always <CODE>stats</CODE>. <BR /> If your orders and costumers source types have a common field like <CODE>id</CODE> you can to something like this:</P> <PRE><CODE>sourcetype=orders OR sourcetype=costumers | stats values(orders) AS orders values(costumers) AS costumers by id </CODE></PRE> <P>This is un-test since I don't have your data available, but you can read more about this topic here: <A href="https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html">https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html</A></P> <P>cheers, MuS</P> Wed, 04 Nov 2015 20:03:00 GMT https://community.splunk.com/t5/Splunk-Search/Join-between-2-source-type-with-a-lot-of-data/m-p/212932#M187916 MuS 2015-11-04T20:03:00Z https://community.splunk.com/t5/Splunk-Search/Join-between-2-source-type-with-a-lot-of-data/m-p/212933#M187917 <P>I concur with creating a lookup table from your customer data using a regularly scheduled search to keep the table current. Then configure the table for automatic lookup and your customer info will be added to each order event as it is processed.</P> Wed, 04 Nov 2015 20:05:05 GMT https://community.splunk.com/t5/Splunk-Search/Join-between-2-source-type-with-a-lot-of-data/m-p/212933#M187917 curryRick 2015-11-04T20:05:05Z https://community.splunk.com/t5/Splunk-Search/Join-between-2-source-type-with-a-lot-of-data/m-p/212934#M187918 <P>Thanks all for your answers.</P> <P>It is possible to put a value in the _key field ? for Example my technical key...</P> <P>I cannot see an exemple anywhere.</P> <P>Thanks in advance. </P> Fri, 06 Nov 2015 11:50:36 GMT https://community.splunk.com/t5/Splunk-Search/Join-between-2-source-type-with-a-lot-of-data/m-p/212934#M187918 jbechchar 2015-11-06T11:50:36Z