https://community.splunk.com/t5/Splunk-Search/How-to-join-or-corelate-3-different-index-sourcetypes-in-single/m-p/682222#M233075 <P>Hi,</P><P>I have requirement as below, please could you review and suggest ?</P><P>Need to pick up all client ids from application log called <U><STRONG>"Cos"</STRONG></U>&nbsp;(index=a sourcetype=Cos ) where distinct client ids are in 6Millions. And, I want to compare whether these clients ids are present in&nbsp; another application log called <STRONG>"Ma"</STRONG>&nbsp;(index=a sourcetype=Ma).</P><P>And, I also want to compare the same in another application&nbsp; called <STRONG>"Ph" (</STRONG>index=a sourcetype=Ph)</P><P>Basically trying to get the count/volume based on the client id, which is common among the 3 application (<STRONG>Cos, Ma,Ph</STRONG>). The total events are in Millions and when i use join, the search job is getting auto-cancelled or getting terminated.</P><P>(index=a sourcetype=Cos) OR (index=a sourcetype=Ma) OR (index=a sourcetype=Ph) stats count by clientid, sourcetype</P><P>&nbsp;</P><P>Thanks,</P><P>Selvam.</P> Thu, 28 Mar 2024 03:41:22 GMT selvam_sekar 2024-03-28T03:41:22Z https://community.splunk.com/t5/Splunk-Search/How-to-join-or-corelate-3-different-index-sourcetypes-in-single/m-p/682222#M233075 <P>Hi,</P><P>I have requirement as below, please could you review and suggest ?</P><P>Need to pick up all client ids from application log called <U><STRONG>"Cos"</STRONG></U>&nbsp;(index=a sourcetype=Cos ) where distinct client ids are in 6Millions. And, I want to compare whether these clients ids are present in&nbsp; another application log called <STRONG>"Ma"</STRONG>&nbsp;(index=a sourcetype=Ma).</P><P>And, I also want to compare the same in another application&nbsp; called <STRONG>"Ph" (</STRONG>index=a sourcetype=Ph)</P><P>Basically trying to get the count/volume based on the client id, which is common among the 3 application (<STRONG>Cos, Ma,Ph</STRONG>). The total events are in Millions and when i use join, the search job is getting auto-cancelled or getting terminated.</P><P>(index=a sourcetype=Cos) OR (index=a sourcetype=Ma) OR (index=a sourcetype=Ph) stats count by clientid, sourcetype</P><P>&nbsp;</P><P>Thanks,</P><P>Selvam.</P> Thu, 28 Mar 2024 03:41:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-or-corelate-3-different-index-sourcetypes-in-single/m-p/682222#M233075 selvam_sekar 2024-03-28T03:41:22Z https://community.splunk.com/t5/Splunk-Search/How-to-join-or-corelate-3-different-index-sourcetypes-in-single/m-p/682226#M233077 <P>As you already experience, Splunk strongly disfavors join. &nbsp;This is just natural as most noSQL do.</P><P>So, you explained how many events these sources can give, and how many different client ID's. &nbsp;What you forget to tell us is what you mean by "<SPAN>to get the count/volume based on the client id". &nbsp;If you only want to count events from each sourcetype by clientid, all you need to do is</SPAN></P><LI-CODE lang="markup">(index=a sourcetype=Cos) OR (index=a sourcetype=Ma) OR (index=a sourcetype=Ph) ``` you can also use index=a sourcetype IN (Cos, Ma, Ph) ``` | stats count by clientid, sourcetype</LI-CODE><P><SPAN>(which is a copy of the SPL snippet but added a pipe (|) in front of stats to make syntax correct.)&nbsp;</SPAN><SPAN>There is no join. &nbsp;The above will not timeout even with millions of event.</SPAN></P><P><SPAN>In other words, what does "compare" mean in "to compare the same in another application", and what does the word mean in "to compare whether these clients ids are present in&nbsp; another application"?</SPAN></P><P><SPAN>If you want to know which and how many sourcetypes (apps) each clientid appear in, all you need is to add the following:</SPAN></P><LI-CODE lang="markup">| stats sum(count) as total values(sourcetype) as apps dc(sourcetype) as app_count by clientid</LI-CODE><P>Put together,</P><LI-CODE lang="markup">(index=a sourcetype=Cos) OR (index=a sourcetype=Ma) OR (index=a sourcetype=Ph) ``` you can also use index=a sourcetype IN (Cos, Ma, Ph) ``` | stats count by clientid, sourcetype | stats sum(count) as total values(sourcetype) as apps dc(sourcetype) as app_count by clientid</LI-CODE><P>Still no join. &nbsp;Where do you get join to time out?</P> Thu, 28 Mar 2024 04:34:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-or-corelate-3-different-index-sourcetypes-in-single/m-p/682226#M233077 yuanliu 2024-03-28T04:34:39Z https://community.splunk.com/t5/Splunk-Search/How-to-join-or-corelate-3-different-index-sourcetypes-in-single/m-p/682233#M233079 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/260960">@selvam_sekar</a>&nbsp;,</P><P>to identify the common clientids between the threee sourcetypes, you should run something like this:</P><LI-CODE lang="markup">index=a sourcetype IN ("Cos","Ma","Ph") | stats count dc(sourcetype) AS sourcetype_count BY clientid | where sourcetype_count=3 | fields - sourcetype_count</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Thu, 28 Mar 2024 06:25:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-or-corelate-3-different-index-sourcetypes-in-single/m-p/682233#M233079 gcusello 2024-03-28T06:25:18Z https://community.splunk.com/t5/Splunk-Search/How-to-join-or-corelate-3-different-index-sourcetypes-in-single/m-p/684723#M233717 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/260960">@selvam_sekar</a>&nbsp;,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 18 Apr 2024 21:31:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-or-corelate-3-different-index-sourcetypes-in-single/m-p/684723#M233717 gcusello 2024-04-18T21:31:31Z