https://community.splunk.com/t5/Splunk-Search/Using-Join-or-similar-command-for-One-to-Many-Relationship/m-p/85969#M21942 <P>Assuming the search and subsearch were correct of course. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 05 Jul 2013 20:27:23 GMT cpeteman 2013-07-05T20:27:23Z https://community.splunk.com/t5/Splunk-Search/Using-Join-or-similar-command-for-One-to-Many-Relationship/m-p/85967#M21940 <P>I have a log file that is writing session data for users using an application in a csv format. The session data provides information about each transaction using "Meta" events and action information (Page Loads, Application Initialization). The sessionId is common to both types of events and is used to link the events. There is a one to many relationship between the action events and the meta events. (Each Action Event will have many Meta Events associated with it.) </P> <P>I want to write a search that will add the information provided from the Meta information to the action information. I started using a join, but after running the search it looks like the search is only pulling back the meta information from the first meta tag. I have been able to push this data to Hadoop and run Ruby to "Sessionize" the data, but I want to be able to do this directly in Splunk. </P> <P>Below is the join search. Is "Join" the right search to create a one to many relationship? Can I create a Subtable of Meta Data to each action event?</P> <P>index=prod_ui sourcetype=ui_instrumentation Type=init OR Type=view | rename Type AS Type1 | rename SubjectName AS SubjectName1 | rename DataValue AS DataValue1 | table _time, SessionId, Type1, SubjectName1, DataValue1, Duration | join SessionId [search index=prod_ui sourcetype=ui_instrumentation Type=meta | table SessionId, DataValue, SubjectName, Type]</P> Mon, 28 Sep 2020 14:16:10 GMT https://community.splunk.com/t5/Splunk-Search/Using-Join-or-similar-command-for-One-to-Many-Relationship/m-p/85967#M21940 ezajac 2020-09-28T14:16:10Z https://community.splunk.com/t5/Splunk-Search/Using-Join-or-similar-command-for-One-to-Many-Relationship/m-p/85968#M21941 <P>I had a vaguely similar problem a few weeks ago. The best solution seems to be using append and selfjoin instead of join. Try the following</P> <P>index=prod_ui sourcetype=ui_instrumentation Type=init OR Type=view | rename Type AS Type1 | rename SubjectName AS SubjectName1 | rename DataValue AS DataValue1 | table _time, SessionId, Type1, SubjectName1, DataValue1, Duration | append [search index=prod_ui sourcetype=ui_instrumentation Type=meta | table SessionId, DataValue, SubjectName, Type] | selfjoin SessionId</P> <P>That doesn't work right let me know what it does versus what you want I'll be glad to take another look.</P> Mon, 28 Sep 2020 14:16:22 GMT https://community.splunk.com/t5/Splunk-Search/Using-Join-or-similar-command-for-One-to-Many-Relationship/m-p/85968#M21941 cpeteman 2020-09-28T14:16:22Z https://community.splunk.com/t5/Splunk-Search/Using-Join-or-similar-command-for-One-to-Many-Relationship/m-p/85969#M21942 <P>Assuming the search and subsearch were correct of course. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 05 Jul 2013 20:27:23 GMT https://community.splunk.com/t5/Splunk-Search/Using-Join-or-similar-command-for-One-to-Many-Relationship/m-p/85969#M21942 cpeteman 2013-07-05T20:27:23Z https://community.splunk.com/t5/Splunk-Search/Using-Join-or-similar-command-for-One-to-Many-Relationship/m-p/85970#M21943 <P>The join command contains an option called <STRONG>max=int</STRONG> that is used to specify how many subsearch results can join with main search results.</P> <P>In your query, just write <STRONG>join max=0 SessionId</STRONG> in place of join SessionId. <BR /> When max is set to 0 there is no limit.</P> <P>,</P> Mon, 28 May 2018 11:29:55 GMT https://community.splunk.com/t5/Splunk-Search/Using-Join-or-similar-command-for-One-to-Many-Relationship/m-p/85970#M21943 darshildave 2018-05-28T11:29:55Z