https://community.splunk.com/t5/Splunk-Search/How-to-use-join-command-to-keep-events-from-subsearch-that-do/m-p/154999#M43603 <P>Just for reference (see 2nd answer) <A href="http://answers.splunk.com/answers/81741/full-outer-join">http://answers.splunk.com/answers/81741/full-outer-join</A></P> Thu, 24 Jul 2014 18:49:08 GMT somesoni2 2014-07-24T18:49:08Z https://community.splunk.com/t5/Splunk-Search/How-to-use-join-command-to-keep-events-from-subsearch-that-do/m-p/154995#M43599 <P>My understanding of the documentation (and my experiments) is that the <CODE>inner</CODE> keeps only events that match both searches, <CODE>left</CODE> keeps matches as well as items that were in the parent search but not in the child search, and <CODE>outer</CODE> keeps ONLY events that did not match from both searches. Unfortunately, I can't figure out how to keep items from the subsearch.</P> <P>The search that I have set as the parent search returns more than 50k events and therefore can't be the subsearch.</P> <P>Any ideas how to use the <CODE>join</CODE> command where the search keeps any events from the subsearch that do not have matches with the parent?</P> Wed, 23 Jul 2014 17:47:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-join-command-to-keep-events-from-subsearch-that-do/m-p/154995#M43599 sloshburch 2014-07-23T17:47:06Z https://community.splunk.com/t5/Splunk-Search/How-to-use-join-command-to-keep-events-from-subsearch-that-do/m-p/154996#M43600 <P>You might be able to do it without join (using stats). Could you provide your two searches?</P> Wed, 23 Jul 2014 18:14:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-join-command-to-keep-events-from-subsearch-that-do/m-p/154996#M43600 somesoni2 2014-07-23T18:14:03Z https://community.splunk.com/t5/Splunk-Search/How-to-use-join-command-to-keep-events-from-subsearch-that-do/m-p/154997#M43601 <P>Check this link.. how to join with out common fields</P> <P><A href="http://">http://answers.splunk.com/answers/109964/join-a-subsearch-with-the-outer-search-without-a-common-field</A></P> Wed, 23 Jul 2014 18:16:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-join-command-to-keep-events-from-subsearch-that-do/m-p/154997#M43601 strive 2014-07-23T18:16:30Z https://community.splunk.com/t5/Splunk-Search/How-to-use-join-command-to-keep-events-from-subsearch-that-do/m-p/154998#M43602 <P>Yes! Stats! I think that's the way to go. Then I can use something simple like a | fields just the stuff to keep | stats latest(*) as * by unique1 unique2</P> <P>Good idea!</P> <P>I can't really share the actual search - they are derived from a massive amount of macros and I'm concerned they exposes a little more about the business than I'm comfortable with.</P> <P>The stats is a great idea - exactly what I was looking for - a way to approach this from another direction. Thanks again.</P> Thu, 24 Jul 2014 18:42:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-join-command-to-keep-events-from-subsearch-that-do/m-p/154998#M43602 sloshburch 2014-07-24T18:42:56Z https://community.splunk.com/t5/Splunk-Search/How-to-use-join-command-to-keep-events-from-subsearch-that-do/m-p/154999#M43603 <P>Just for reference (see 2nd answer) <A href="http://answers.splunk.com/answers/81741/full-outer-join">http://answers.splunk.com/answers/81741/full-outer-join</A></P> Thu, 24 Jul 2014 18:49:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-join-command-to-keep-events-from-subsearch-that-do/m-p/154999#M43603 somesoni2 2014-07-24T18:49:08Z https://community.splunk.com/t5/Splunk-Search/How-to-use-join-command-to-keep-events-from-subsearch-that-do/m-p/155000#M43604 <P>Thanks. That is exactly how I interpreted your tip. Ideally I get them on the same initial search but at the least I think I'll be all set using stats. Thanks again!</P> Thu, 24 Jul 2014 19:57:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-join-command-to-keep-events-from-subsearch-that-do/m-p/155000#M43604 sloshburch 2014-07-24T19:57:08Z