https://community.splunk.com/t5/Splunk-Search/join-two-table/m-p/96038#M24785 <P>hi all ,</P> <P>after using the below search i got one table which has the transactional data as</P> <P>source="aaa"|transaction TaskName startswith=START endswith=Succeeded|table TaskBP duration</P> <P>TaskName duration</P> <P>Task1 1.90</P> <P>Task2 2.67</P> <P>Task1 7.55</P> <P>another table with Taskname and its average duration by using the below search </P> <P>source="aaa"|transaction TaskName startswith=START endswith=Succeeded|stats avg(duration) by taskname |table taskname avg(duration)</P> <P>i want to join these two searches so that my table will become as</P> <P>Taskname duration avg(duration)</P> <P>Task1 1.90 12.4</P> <P>task2 2.67 5.9</P> <P>Task1 7.55 12.4</P> <P>i think of using the left outer join..plz help in writing the search </P> Fri, 19 Oct 2012 10:50:48 GMT splunkpoornima 2012-10-19T10:50:48Z https://community.splunk.com/t5/Splunk-Search/join-two-table/m-p/96038#M24785 <P>hi all ,</P> <P>after using the below search i got one table which has the transactional data as</P> <P>source="aaa"|transaction TaskName startswith=START endswith=Succeeded|table TaskBP duration</P> <P>TaskName duration</P> <P>Task1 1.90</P> <P>Task2 2.67</P> <P>Task1 7.55</P> <P>another table with Taskname and its average duration by using the below search </P> <P>source="aaa"|transaction TaskName startswith=START endswith=Succeeded|stats avg(duration) by taskname |table taskname avg(duration)</P> <P>i want to join these two searches so that my table will become as</P> <P>Taskname duration avg(duration)</P> <P>Task1 1.90 12.4</P> <P>task2 2.67 5.9</P> <P>Task1 7.55 12.4</P> <P>i think of using the left outer join..plz help in writing the search </P> Fri, 19 Oct 2012 10:50:48 GMT https://community.splunk.com/t5/Splunk-Search/join-two-table/m-p/96038#M24785 splunkpoornima 2012-10-19T10:50:48Z https://community.splunk.com/t5/Splunk-Search/join-two-table/m-p/96039#M24786 <P>How is this different from the other question you had regarding adding an avg(duration) value to your search?</P> Fri, 19 Oct 2012 11:24:44 GMT https://community.splunk.com/t5/Splunk-Search/join-two-table/m-p/96039#M24786 Ayn 2012-10-19T11:24:44Z https://community.splunk.com/t5/Splunk-Search/join-two-table/m-p/96040#M24787 <P>use a join on the common field</P> <P><CODE>mysearchA | table field1 field2 <BR /> | JOIN field1 [ mysearchB | table field1 field3] <BR /> | table field1 field2 field3</CODE></P> <P>see <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join</A></P> Sun, 21 Oct 2012 15:21:06 GMT https://community.splunk.com/t5/Splunk-Search/join-two-table/m-p/96040#M24787 yannK 2012-10-21T15:21:06Z https://community.splunk.com/t5/Splunk-Search/join-two-table/m-p/96041#M24788 <P>hi, </P> <P>I have the same problem</P> <P>mysearchA | table field1 field2 <BR /> | JOIN field1 [ mysearchB | table field1 field3] <BR /> | table field1 field2 field3</P> <P>what is the mySearchA,mySearchB stands for ?<BR /> my data provider(file) is a host named XXX <BR /> when i am using a host=XXX in both of "mySearchA,B" expression i am getting an error</P> <P>help needed<BR /> Thanks shay</P> Tue, 17 Dec 2013 14:10:37 GMT https://community.splunk.com/t5/Splunk-Search/join-two-table/m-p/96041#M24788 shayhk 2013-12-17T14:10:37Z https://community.splunk.com/t5/Splunk-Search/join-two-table/m-p/96042#M24789 <P>try "source=XXX"</P> Tue, 17 Dec 2013 14:35:14 GMT https://community.splunk.com/t5/Splunk-Search/join-two-table/m-p/96042#M24789 somesoni2 2013-12-17T14:35:14Z https://community.splunk.com/t5/Splunk-Search/join-two-table/m-p/96043#M24790 <P>You want that the searchA and searchB return a single line per field1, otherwise the join between the 2 lists will be wrong. </P> <P>An example with a join between a list of users and the logins per server can be :<BR /> <CODE>index=users username=* email=* <BR /> | stats values(email) AS email by username<BR /> | JOIN username <BR /> [ <BR /> search index=servers login username=* <BR /> | stats values(host) AS server_login_list earliest(_time) AS recent_login earliest(host) AS recent_server by username<BR /> ] <BR /> | table username email server_login_list recent_login recent_server<BR /> </CODE></P> Tue, 17 Dec 2013 17:44:44 GMT https://community.splunk.com/t5/Splunk-Search/join-two-table/m-p/96043#M24790 yannK 2013-12-17T17:44:44Z