<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Join two table in Splunk in Splunk Search</title>
    <link>https://community.splunk.com/t5/Splunk-Search/Join-two-table-in-Splunk/m-p/119309#M32011</link>
    <description>&lt;P&gt;Don't think of your data as tables, because they aren't.  Using JOIN or INTERSECT actually runs multiple searches over the same data.  It's likely you can accomplish what you want in a single search, but what you've provided is pretty vague so I can't really provide a good example.  Something like this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;COM (FAILED AND source="/home/test/test.log") OR login
| rex "^(?:[^,\n]*,){3}(?P&amp;lt;sender&amp;gt;\+\d+)"
| rex "(?&amp;lt;sender&amp;gt;\+\d+)"
| eval login=if(searchmatch("login"), 1, 0)
| eval failed=if(searchmatch("FAILED"), 1, 0)
| stats max(login) as login max(failed) as failed by sender
| search login=1 AND failed=1
| table sender
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;The problem with the specific thing you attempted is that you're telling it to join on the 'sender' field, but the subsearch only outputs one field:  'number'.  So there is no 'sender' for it to join on.&lt;/P&gt;</description>
    <pubDate>Tue, 14 Jul 2015 15:51:31 GMT</pubDate>
    <dc:creator>emiller42</dc:creator>
    <dc:date>2015-07-14T15:51:31Z</dc:date>
    <item>
      <title>Join two table in Splunk</title>
      <link>https://community.splunk.com/t5/Splunk-Search/Join-two-table-in-Splunk/m-p/119307#M32009</link>
      <description>&lt;P&gt;HI All,&lt;/P&gt;

&lt;P&gt;Query1:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;(FAILED) COM source="/home/test/test.log"  | rex field=_raw "^(?:[^,\n]*,){3}(?P&amp;lt;sender&amp;gt;\+\d+)" | dedup sender | table sender
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Then the output will become&lt;BR /&gt;
111&lt;BR /&gt;
112&lt;BR /&gt;
113&lt;BR /&gt;
123&lt;/P&gt;

&lt;P&gt;Query2:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;login COM  | rex field=_raw "(?&amp;lt;number&amp;gt;\+\d+)"   | rex field=_raw "(?&amp;lt;Version&amp;gt;\w+\/\d+\.\d+\.\d*)"   | dedup number | search Version="1.0.4" | table number
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Then the output will become&lt;BR /&gt;
101&lt;BR /&gt;
111&lt;BR /&gt;
123&lt;BR /&gt;
124&lt;/P&gt;

&lt;P&gt;I would like to Join these two tables and generate the output as below.&lt;BR /&gt;
111&lt;BR /&gt;
123&lt;/P&gt;

&lt;P&gt;I have tried this command by combining these two queries, but there is no result at all. Any suggestions?&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;(FAILED) COM source="/home/test/test.log"  | rex field=_raw "^(?:[^,\n]*,){3}(?P&amp;lt;sender&amp;gt;\+\d+)" | dedup sender | table sender | JOIN sender [search login COM  | rex field=_raw "(?&amp;lt;number&amp;gt;\+\d+)"   | rex field=_raw "(?&amp;lt;Version&amp;gt;\w+\/\d+\.\d+\.\d*)"   | dedup number | search Version="1.0.4" | table number]
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 14 Jul 2015 13:37:16 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/Join-two-table-in-Splunk/m-p/119307#M32009</guid>
      <dc:creator>cykuan</dc:creator>
      <dc:date>2015-07-14T13:37:16Z</dc:date>
    </item>
    <item>
      <title>Re: Join two table in Splunk</title>
      <link>https://community.splunk.com/t5/Splunk-Search/Join-two-table-in-Splunk/m-p/119308#M32010</link>
      <description>&lt;P&gt;| set intersect [...your search 1 | fields number] [...your search 2 | fields number]&lt;/P&gt;

&lt;P&gt;&lt;A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Set"&gt;http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Set&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 14 Jul 2015 14:03:07 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/Join-two-table-in-Splunk/m-p/119308#M32010</guid>
      <dc:creator>pradeepkumarg</dc:creator>
      <dc:date>2015-07-14T14:03:07Z</dc:date>
    </item>
    <item>
      <title>Re: Join two table in Splunk</title>
      <link>https://community.splunk.com/t5/Splunk-Search/Join-two-table-in-Splunk/m-p/119309#M32011</link>
      <description>&lt;P&gt;Don't think of your data as tables, because they aren't.  Using JOIN or INTERSECT actually runs multiple searches over the same data.  It's likely you can accomplish what you want in a single search, but what you've provided is pretty vague so I can't really provide a good example.  Something like this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;COM (FAILED AND source="/home/test/test.log") OR login
| rex "^(?:[^,\n]*,){3}(?P&amp;lt;sender&amp;gt;\+\d+)"
| rex "(?&amp;lt;sender&amp;gt;\+\d+)"
| eval login=if(searchmatch("login"), 1, 0)
| eval failed=if(searchmatch("FAILED"), 1, 0)
| stats max(login) as login max(failed) as failed by sender
| search login=1 AND failed=1
| table sender
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;The problem with the specific thing you attempted is that you're telling it to join on the 'sender' field, but the subsearch only outputs one field:  'number'.  So there is no 'sender' for it to join on.&lt;/P&gt;</description>
      <pubDate>Tue, 14 Jul 2015 15:51:31 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/Join-two-table-in-Splunk/m-p/119309#M32011</guid>
      <dc:creator>emiller42</dc:creator>
      <dc:date>2015-07-14T15:51:31Z</dc:date>
    </item>
  </channel>
</rss>

