https://community.splunk.com/t5/Splunk-Search/Optimize-a-search-without-using-join/m-p/122900#M33162 <P>Hello,</P> <P>Hope you can give an solution to my concern.<BR /> There were different sourcetypes under a single index and they have a similar field called BATCH_ID, "Sourcetype A" is coming from a database input (dump) and "Sourcetype B" is from a DB input (tail). is it possible to match UNIQUE values under sourcetype A with sourcetype B and exclude those that were not present in Sourcetype A under a single field without using "join"? </P> <P>My search below takes time to load results on the browser:<BR /> index=AAA sourcetype="star_transaction_logs" BATCH_ID=* AGENCY_CODE=* EMPLOYEE_NO=* SERVICE_CODE=WHTLST SE_RESPCODE=0000 | join BATCH_ID AGENCY_CODE EMPLOYEE_NO [search index=AAA sourcetype=star_employees_history ACTION_TYPE=A BATCH_ID=* AGENCY_CODE=* EMPLOYEE_NO=* | join BRANCH_CODE [search index=mls_index sourcetype="star_branches_sourcetype" BRANCH_CODE=*] ] |dedup BATCH_ID | stats count(BATCH_ID) as COUNT by BRANCH_CODE BRANCH_NAME| addcoltotals label=Total labelfield=category COUNT | fields BRANCH_CODE BRANCH_NAME category COUNT | sort BRANCH_NAME</P> Mon, 28 Sep 2020 18:48:38 GMT jonathan_yan5 2020-09-28T18:48:38Z https://community.splunk.com/t5/Splunk-Search/Optimize-a-search-without-using-join/m-p/122900#M33162 <P>Hello,</P> <P>Hope you can give an solution to my concern.<BR /> There were different sourcetypes under a single index and they have a similar field called BATCH_ID, "Sourcetype A" is coming from a database input (dump) and "Sourcetype B" is from a DB input (tail). is it possible to match UNIQUE values under sourcetype A with sourcetype B and exclude those that were not present in Sourcetype A under a single field without using "join"? </P> <P>My search below takes time to load results on the browser:<BR /> index=AAA sourcetype="star_transaction_logs" BATCH_ID=* AGENCY_CODE=* EMPLOYEE_NO=* SERVICE_CODE=WHTLST SE_RESPCODE=0000 | join BATCH_ID AGENCY_CODE EMPLOYEE_NO [search index=AAA sourcetype=star_employees_history ACTION_TYPE=A BATCH_ID=* AGENCY_CODE=* EMPLOYEE_NO=* | join BRANCH_CODE [search index=mls_index sourcetype="star_branches_sourcetype" BRANCH_CODE=*] ] |dedup BATCH_ID | stats count(BATCH_ID) as COUNT by BRANCH_CODE BRANCH_NAME| addcoltotals label=Total labelfield=category COUNT | fields BRANCH_CODE BRANCH_NAME category COUNT | sort BRANCH_NAME</P> Mon, 28 Sep 2020 18:48:38 GMT https://community.splunk.com/t5/Splunk-Search/Optimize-a-search-without-using-join/m-p/122900#M33162 jonathan_yan5 2020-09-28T18:48:38Z https://community.splunk.com/t5/Splunk-Search/Optimize-a-search-without-using-join/m-p/122901#M33163 <P>Hi jonathan_yan5,</P> <P>Sure it is possible, take a closer look at this answer <A href="http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html">http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html</A> to learn more about it.</P> <P>cheers, MuS</P> Fri, 30 Jan 2015 14:27:42 GMT https://community.splunk.com/t5/Splunk-Search/Optimize-a-search-without-using-join/m-p/122901#M33163 MuS 2015-01-30T14:27:42Z https://community.splunk.com/t5/Splunk-Search/Optimize-a-search-without-using-join/m-p/122902#M33164 <P>Thanks MuS!.. it successfully matched a specific field with values on two different sourcetypes. Can you also give the search wherein i could match values on 3 different fields existing on two different sourcetypes under a single query? Basically i should be able to match BATCH_ID, AGENCY_CODE and EMPLOYEE_NO on my report</P> <P>Sourcetype A<BR /> Field BATCH_ID = ABC<BR /> Field AGENCY_CODE = XYZ<BR /> Field EMPLOYEE_NO = 123</P> <P>should match:</P> <P>Sourcetype B<BR /> Field BATCH_ID = ABC<BR /> Field AGENCY_CODE = XYZ<BR /> Field EMPLOYEE_NO = 123</P> Mon, 28 Sep 2020 18:49:00 GMT https://community.splunk.com/t5/Splunk-Search/Optimize-a-search-without-using-join/m-p/122902#M33164 jonathan_yan5 2020-09-28T18:49:00Z