https://community.splunk.com/t5/Splunk-Search/Left-Outer-Join-in-Splunk/m-p/665605#M228360 <P>For your requirement, left join may not be ideal. Try this alternate implementation (replace make results query with your lookup/data query):</P><LI-CODE lang="markup">| makeresults | eval DatabaseName=split("A B C"," ") | mvexpand DatabaseName | table DatabaseName | eval from="Lookup" | append [| makeresults | eval DatabaseName=split("A A1 10#A A2 20#C C1 40#C C2 50#D D 60","#") | mvexpand DatabaseName | table DatabaseName | rex field=DatabaseName "^(?&lt;DatabaseName&gt;\S+)\s+(?&lt;Instance&gt;\S+)\s+(?&lt;CPUUtilization&gt;\S+)$" | eval from="search"] | eventstats values(from) as from by DatabaseName | where isnotnull(mvfilter(match(from,"Lookup"))) | foreach CPUUtilization Instance [| eval "&lt;&lt;FIELD&gt;&gt;"=coalesce('&lt;&lt;FIELD&gt;&gt;',if(mvcount(from)=1 AND from="Lookup","NULL",null()))] | stats count by DatabaseName CPUUtilization Instance | table DatabaseName CPUUtilization Instance</LI-CODE> Thu, 19 Oct 2023 19:19:50 GMT somesoni2 2023-10-19T19:19:50Z https://community.splunk.com/t5/Splunk-Search/Left-Outer-Join-in-Splunk/m-p/665592#M228358 <P>Below is our Requirement</P><P>Lookup file has just one column DatabaseName, this is the left dataset</P><TABLE width="100"><TBODY><TR><TD width="100">DatabaseName</TD></TR><TR><TD>A</TD></TR><TR><TD>B</TD></TR><TR><TD>C</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>My Search is for metrics on databases and ha</P><P>s multiple rows, this is the right dataset</P><TABLE width="310px"><TBODY><TR><TD width="121.906px">DatabaseName</TD><TD width="72.8958px">Instance</TD><TD width="115.083px">CPUUtilization</TD></TR><TR><TD width="121.906px">A</TD><TD width="72.8958px">A1</TD><TD width="115.083px">10</TD></TR><TR><TD width="121.906px">A</TD><TD width="72.8958px">A2</TD><TD width="115.083px">20</TD></TR><TR><TD width="121.906px">C</TD><TD width="72.8958px">C1</TD><TD width="115.083px">40</TD></TR><TR><TD width="121.906px">C</TD><TD width="72.8958px">C2</TD><TD width="115.083px">50</TD></TR><TR><TD width="121.906px">D</TD><TD width="72.8958px">D</TD><TD width="115.083px">60</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Expected Result is this after left join</P><TABLE width="308px"><TBODY><TR><TD width="121.906px">DatabaseName</TD><TD width="72.8958px">Instance</TD><TD width="115.083px">CPUUtilization</TD></TR><TR><TD width="121.906px">A</TD><TD width="72.8958px">A1</TD><TD width="115.083px">10</TD></TR><TR><TD width="121.906px">A</TD><TD width="72.8958px">A2</TD><TD width="115.083px">20</TD></TR><TR><TD width="121.906px">B</TD><TD width="72.8958px">NULL</TD><TD width="115.083px">NULL</TD></TR><TR><TD width="121.906px">C</TD><TD width="72.8958px">C1</TD><TD width="115.083px">40</TD></TR><TR><TD width="121.906px">C</TD><TD width="72.8958px">C2</TD><TD width="115.083px">50</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>But when I join using DatabaseName, I am getting only three records, 1 for A, 1 for B with NULL and 1 for C</P><P>My background is SQL and for me left join is all from left data set and all matching from right data set. So please suggest me how I can achive this.</P> Thu, 19 Oct 2023 18:30:43 GMT https://community.splunk.com/t5/Splunk-Search/Left-Outer-Join-in-Splunk/m-p/665592#M228358 yaswanth1992 2023-10-19T18:30:43Z https://community.splunk.com/t5/Splunk-Search/Left-Outer-Join-in-Splunk/m-p/665605#M228360 <P>For your requirement, left join may not be ideal. Try this alternate implementation (replace make results query with your lookup/data query):</P><LI-CODE lang="markup">| makeresults | eval DatabaseName=split("A B C"," ") | mvexpand DatabaseName | table DatabaseName | eval from="Lookup" | append [| makeresults | eval DatabaseName=split("A A1 10#A A2 20#C C1 40#C C2 50#D D 60","#") | mvexpand DatabaseName | table DatabaseName | rex field=DatabaseName "^(?&lt;DatabaseName&gt;\S+)\s+(?&lt;Instance&gt;\S+)\s+(?&lt;CPUUtilization&gt;\S+)$" | eval from="search"] | eventstats values(from) as from by DatabaseName | where isnotnull(mvfilter(match(from,"Lookup"))) | foreach CPUUtilization Instance [| eval "&lt;&lt;FIELD&gt;&gt;"=coalesce('&lt;&lt;FIELD&gt;&gt;',if(mvcount(from)=1 AND from="Lookup","NULL",null()))] | stats count by DatabaseName CPUUtilization Instance | table DatabaseName CPUUtilization Instance</LI-CODE> Thu, 19 Oct 2023 19:19:50 GMT https://community.splunk.com/t5/Splunk-Search/Left-Outer-Join-in-Splunk/m-p/665605#M228360 somesoni2 2023-10-19T19:19:50Z https://community.splunk.com/t5/Splunk-Search/Left-Outer-Join-in-Splunk/m-p/665607#M228361 <P>The <FONT face="courier new,courier">join</FONT> command is an inefficient way to combine datasets.&nbsp; Alternative commands are described in the Search Reference manual (<A href="https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Join#Alternative_commands" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Join#Alternative_commands</A>).</P><P>Splunk has a manual for SQL users.&nbsp; See <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SQLtoSplunk" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SQLtoSplunk</A></P> Thu, 19 Oct 2023 19:24:47 GMT https://community.splunk.com/t5/Splunk-Search/Left-Outer-Join-in-Splunk/m-p/665607#M228361 richgalloway 2023-10-19T19:24:47Z https://community.splunk.com/t5/Splunk-Search/Left-Outer-Join-in-Splunk/m-p/665627#M228366 <P>Something like this should work. I called the lookup db_names.csv ... change that to whatever your actual lookup is named. Everything above the comment just emulates the data you gave.</P><LI-CODE lang="markup">| makeresults count=1 | eval _raw="DatabaseName,Instance,CPUUtilization A,A1,10 A,A2,20 C,C1,40 C,C2,50 D,D,60" | multikv forceheader=1 | fields - _time, _raw, linecount ```^^^^ This emulates the data you gave ^^^^``` | eval inst_cpu=Instance+"#"+CPUUtilization | fields - Instance CPUUtilization | inputlookup db_names.csv append=true ```&lt;-- change the lookup name here``` | stats list(inst_cpu) as inst_cpu by DatabaseName | mvexpand inst_cpu | eval Instance=mvindex(split(inst_cpu,"#"), 0) | eval CPUUtilization=mvindex(split(inst_cpu,"#"), 1) | fillnull value="NULL" Instance CPUUtilization | fields - inst_cpu</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Thu, 19 Oct 2023 22:33:17 GMT https://community.splunk.com/t5/Splunk-Search/Left-Outer-Join-in-Splunk/m-p/665627#M228366 fredclown 2023-10-19T22:33:17Z https://community.splunk.com/t5/Splunk-Search/Left-Outer-Join-in-Splunk/m-p/665635#M228372 <P>Hi</P><P>one old answer which describe how joins can/should do with splunk&nbsp;<A href="https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-join-and-the/m-p/391288/thread-id/113948" target="_blank">https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-join-and-the/m-p/391288/thread-id/113948</A></P><P>r. Ismo</P> Fri, 20 Oct 2023 06:36:54 GMT https://community.splunk.com/t5/Splunk-Search/Left-Outer-Join-in-Splunk/m-p/665635#M228372 isoutamo 2023-10-20T06:36:54Z