https://community.splunk.com/t5/Splunk-Search/Find-Events-in-one-index-based-on-a-result-set/m-p/574484#M200206 <P>Hi</P><P>quite often you should avoid join to join datasets. Here is excellent presentation why&nbsp;<A href="https://conf.splunk.com/files/2020/slides/TRU1761C.pdf" target="_blank">https://conf.splunk.com/files/2020/slides/TRU1761C.pdf</A></P><P>There are some other presentations too which are worth of look.</P><P>r. Ismo</P> Wed, 10 Nov 2021 19:45:13 GMT isoutamo 2021-11-10T19:45:13Z https://community.splunk.com/t5/Splunk-Search/Find-Events-in-one-index-based-on-a-result-set/m-p/574465#M200194 <P>I want to find items in one index based on results from another index's search. I have the following but only get a handful of results for some reason.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=a sourcetype=test |join id [search index b | rename id as idb] |stats count by id, idb</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Is this the best way to accomplish it and any reason I only get a small number of results?&nbsp;</P> Wed, 10 Nov 2021 17:54:59 GMT https://community.splunk.com/t5/Splunk-Search/Find-Events-in-one-index-based-on-a-result-set/m-p/574465#M200194 SMM10 2021-11-10T17:54:59Z https://community.splunk.com/t5/Splunk-Search/Find-Events-in-one-index-based-on-a-result-set/m-p/574477#M200200 <P>The join command works much like it would in SQL.&nbsp;</P><P>If Index A has the field idb, it will display the events where idb matches found in both Index A and B.&nbsp;</P><P>The query as you stated will only provide events where the value is found in both Indexes.</P><P>If you wanted all events from A and any events from B that match on idb you can add the type:</P><LI-CODE lang="markup">index=a sourcetype=test |join type=left id [search index b | rename id as idb] |stats count by id, idb</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Wed, 10 Nov 2021 18:52:51 GMT https://community.splunk.com/t5/Splunk-Search/Find-Events-in-one-index-based-on-a-result-set/m-p/574477#M200200 jcraumer 2021-11-10T18:52:51Z https://community.splunk.com/t5/Splunk-Search/Find-Events-in-one-index-based-on-a-result-set/m-p/574484#M200206 <P>Hi</P><P>quite often you should avoid join to join datasets. Here is excellent presentation why&nbsp;<A href="https://conf.splunk.com/files/2020/slides/TRU1761C.pdf" target="_blank">https://conf.splunk.com/files/2020/slides/TRU1761C.pdf</A></P><P>There are some other presentations too which are worth of look.</P><P>r. Ismo</P> Wed, 10 Nov 2021 19:45:13 GMT https://community.splunk.com/t5/Splunk-Search/Find-Events-in-one-index-based-on-a-result-set/m-p/574484#M200206 isoutamo 2021-11-10T19:45:13Z https://community.splunk.com/t5/Splunk-Search/Find-Events-in-one-index-based-on-a-result-set/m-p/574485#M200207 <P>Join is one way to do it, but can be inefficient.&nbsp; If you use <FONT face="courier new,courier">join</FONT>, understand that Splunk will match events based only on the specified field name(s) (or all common fields if none are specified).</P><P>Another way to combine results is using <FONT face="courier new,courier">append</FONT>.</P><LI-CODE lang="markup">index=a sourcetype=test | append [search index b | rename id as idb] |stats count by id, idb</LI-CODE><P>Yet another way, and probably the best way if I understand the use case correctly, is to use a subsearch.&nbsp; A subsearch runs before the main search and its results become part of the main search.</P><LI-CODE lang="markup">index=a sourcetype=test [search index b | fields id | format ] |stats count by id</LI-CODE><P>The <FONT face="courier new,courier">format</FONT> command converts the subsearch results into a boolean expression the main search can evaluate.&nbsp; It's important for the subsearch to return field names that exist in the main search otherwise it may fail to find the right results.</P><P>&nbsp;</P> Wed, 10 Nov 2021 19:48:42 GMT https://community.splunk.com/t5/Splunk-Search/Find-Events-in-one-index-based-on-a-result-set/m-p/574485#M200207 richgalloway 2021-11-10T19:48:42Z