https://community.splunk.com/t5/Splunk-Search/Joining-and-grouping-indexes/m-p/691283#M235405 <P><BR /><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span>completely different logic than in relational databases. It takes me a time to switch for this "new" one .</P><P>Ok, one more condition I noticed.<BR />Two indexes are linked by field FieldA. The point is that FieldA in IndexB needs to be converted to :<BR /><BR /><EM>| eval ModA = mvindex(split(FieldA, ","), 0)</EM><BR /><BR />So the relation one_to_many is IndexA.FieldA = IndexB.ModA<BR /><BR /><BR />is this clear what I am writing about ... <span class="lia-unicode-emoji" title=":thinking_face:">🤔</span><BR /><BR /><BR /></P> Fri, 21 Jun 2024 11:17:43 GMT kp_pl 2024-06-21T11:17:43Z https://community.splunk.com/t5/Splunk-Search/Joining-and-grouping-indexes/m-p/690957#M235316 <P>below is my scenario described by Oracle DBA <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>I have two indexes</P><P>INDEXA<BR />fieldA<BR />fieldB<BR />fieldC</P><P>INDEXB<BR />fieldA<BR />fieldX<BR />fieldY<BR />fieldZ</P><P>First I need to join them both, it will be kind of LEFT JOIN as you porbably noticed by fieldA. Then group it by filedA+FieldZ and count each group.</P><P>&nbsp;</P><P><BR />In DBA language something like :<BR />select a.fieldA, b.filedZ, count(*)<BR />from indexA A left join indexB B on a.fieldA=b.fieldA<BR />group by a.fieldA, b.filedZ</P><P>&nbsp;</P><P>any hints ?</P><P>&nbsp;</P><P>K.</P><P>&nbsp;</P> Tue, 18 Jun 2024 06:51:50 GMT https://community.splunk.com/t5/Splunk-Search/Joining-and-grouping-indexes/m-p/690957#M235316 kp_pl 2024-06-18T06:51:50Z https://community.splunk.com/t5/Splunk-Search/Joining-and-grouping-indexes/m-p/690961#M235317 <P>Usually, instead of using <STRONG>join,</STRONG> you can replace it by <STRONG>stats</STRONG> and will be a lot better in performance.</P><P>Try to do something like this and adjust it to your needs:</P><LI-CODE lang="markup">index=INDEXA OR index=INDEXA | stats values(fieldB) AS fieldB values(fieldC) AS fieldC values(fieldX) AS fieldX values(fieldY) AS fieldY values(fieldZ) AS fieldZ by fieldA | fillnull value=unknown fieldZ | stats count(fieldB) AS fieldB count(fieldC) AS fieldC count(fieldX) AS fieldX count(fieldY) AS fieldY by fieldA, fieldZ </LI-CODE><P>First use OR to merge the info from both indexes and use stats to group the other fields by fieldA.</P><P>Then, assuming there will be gaps of information in some fiels, usa can use fillnull to fill those gaps.</P><P>Then, count all fields by fieldA and fieldZ.</P><P>&nbsp;</P><P>Also check this post:</P><P><A href="https://community.splunk.com/t5/Splunk-Search/Replace-join-with-stats-to-merge-events-based-on-common-field/m-p/321060" target="_blank">https://community.splunk.com/t5/Splunk-Search/Replace-join-with-stats-to-merge-events-based-on-common-field/m-p/321060</A></P><P>&nbsp;</P> Tue, 18 Jun 2024 07:21:04 GMT https://community.splunk.com/t5/Splunk-Search/Joining-and-grouping-indexes/m-p/690961#M235317 glc_slash_it 2024-06-18T07:21:04Z https://community.splunk.com/t5/Splunk-Search/Joining-and-grouping-indexes/m-p/691283#M235405 <P><BR /><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span>completely different logic than in relational databases. It takes me a time to switch for this "new" one .</P><P>Ok, one more condition I noticed.<BR />Two indexes are linked by field FieldA. The point is that FieldA in IndexB needs to be converted to :<BR /><BR /><EM>| eval ModA = mvindex(split(FieldA, ","), 0)</EM><BR /><BR />So the relation one_to_many is IndexA.FieldA = IndexB.ModA<BR /><BR /><BR />is this clear what I am writing about ... <span class="lia-unicode-emoji" title=":thinking_face:">🤔</span><BR /><BR /><BR /></P> Fri, 21 Jun 2024 11:17:43 GMT https://community.splunk.com/t5/Splunk-Search/Joining-and-grouping-indexes/m-p/691283#M235405 kp_pl 2024-06-21T11:17:43Z https://community.splunk.com/t5/Splunk-Search/Joining-and-grouping-indexes/m-p/691284#M235406 <P>Ok, to simplify it as easy as possible :</P><P>There are two indexes:<BR />INDEXA<BR />FieldA<BR />FieldB</P><P>INDEXB<BR />FieldA<BR />FieldC</P><P>to create a relation between indexes I need to modify INDEXB.FieldA</P><P><EM>eval FieldA1 = mvindex(split(FieldA, ","), 0)</EM></P><P><BR />and now want to group by FieldA/FieldA1and FieldB and count FieldC</P> Fri, 21 Jun 2024 11:44:40 GMT https://community.splunk.com/t5/Splunk-Search/Joining-and-grouping-indexes/m-p/691284#M235406 kp_pl 2024-06-21T11:44:40Z