https://community.splunk.com/t5/Splunk-Search/Join-two-searches-by-different-field-names/m-p/165670#M47095 <P>Your subsearches don't have a currentPage field - they have pageviews. That aside, I think you'd have better results with the appendcols command.</P> <PRE><CODE>index="ecom" eventName=pageLoad | regex referrer="^http://www.example.com/these-files/*" | rex field=referrer "(?.*?)?" | rex field=new_referrer mode=sed "s/^http://www.example.com/ /g" | stats count as clicksOut by new_referrer | rename new_referrer as currentPage | appendcols [search index="ecom" eventName=pageLoad | stats count as pageViews by currentPage] </CODE></PRE> Fri, 24 Apr 2015 17:56:17 GMT richgalloway 2015-04-24T17:56:17Z https://community.splunk.com/t5/Splunk-Search/Join-two-searches-by-different-field-names/m-p/165668#M47093 <P>I have a search I'm running which now works fine</P> <P>index="ecom" eventName=pageLoad | regex referrer="^<A href="http://www.example.com/these-files/*" target="_blank">http://www.example.com/these-files/*</A>" | rex field=referrer "(?.*?)\?" | rex field=new_referrer mode=sed "s/^http:\/\/<A href="http://www.example.com/" target="_blank">www.example.com/</A> /g" | stats count as clicksOut by new_referrer | rename new_referrer as currentPage </P> <P>This gets me results such as<BR /> currentPage - clicksOut<BR /> /these-files/abc - 4<BR /> /these-files/def - 5</P> <P>etc.</P> <P>I am now trying to join a separate search based on the currentPage field</P> <P>| join currentPage [search index="ecom" eventName=pageLoad | stats count as pageViews by currentPage]</P> <P>If I run this search I get back a variety of results (as should be)<BR /> / - 100<BR /> /these-files - 400<BR /> /these-files/abc - 10<BR /> /these-files/def - 5</P> <P>Ideally when the join occurs I'd have a list of all clicksOut and pageViews<BR /> currentPage - clicksOut - pageViews<BR /> /these-files/abc - 4 - 10<BR /> /these-files/def - 5 - 5</P> <P>When I run the full search below I get no results though - any ideas?</P> <P>index="ecom" eventName=pageLoad | regex referrer="^<A href="http://www.example.com/these-files/*" target="_blank">http://www.example.com/these-files/*</A>" | rex field=referrer "(?.*?)\?" | rex field=new_referrer mode=sed "s/^http:\/\/<A href="http://www.example.com/" target="_blank">www.example.com/</A> /g" | stats count as clicksOut by new_referrer | rename new_referrer as currentPage | join currentPage [search index="ecom" eventName=pageLoad | stats count as pageViews by currentPage]</P> Mon, 28 Sep 2020 19:40:39 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-searches-by-different-field-names/m-p/165668#M47093 akhanVG 2020-09-28T19:40:39Z https://community.splunk.com/t5/Splunk-Search/Join-two-searches-by-different-field-names/m-p/165669#M47094 <P>You shouldn't need to do the same join twice here and you can use join type=left to still get your original result set even if noting matched. Try removing the last join and change the first one to join type=left and let us all know the results. It may be that the joined result set has no matches or doesn't exist.</P> Fri, 24 Apr 2015 17:52:54 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-searches-by-different-field-names/m-p/165669#M47094 dolivasoh 2015-04-24T17:52:54Z https://community.splunk.com/t5/Splunk-Search/Join-two-searches-by-different-field-names/m-p/165670#M47095 <P>Your subsearches don't have a currentPage field - they have pageviews. That aside, I think you'd have better results with the appendcols command.</P> <PRE><CODE>index="ecom" eventName=pageLoad | regex referrer="^http://www.example.com/these-files/*" | rex field=referrer "(?.*?)?" | rex field=new_referrer mode=sed "s/^http://www.example.com/ /g" | stats count as clicksOut by new_referrer | rename new_referrer as currentPage | appendcols [search index="ecom" eventName=pageLoad | stats count as pageViews by currentPage] </CODE></PRE> Fri, 24 Apr 2015 17:56:17 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-searches-by-different-field-names/m-p/165670#M47095 richgalloway 2015-04-24T17:56:17Z https://community.splunk.com/t5/Splunk-Search/Join-two-searches-by-different-field-names/m-p/165671#M47096 <P>Oh shoot that was a mistake in formatting there is only one join but I'll see if left works</P> Fri, 24 Apr 2015 17:56:37 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-searches-by-different-field-names/m-p/165671#M47096 akhanVG 2015-04-24T17:56:37Z https://community.splunk.com/t5/Splunk-Search/Join-two-searches-by-different-field-names/m-p/165672#M47097 <P>No dice - I tried this but the clicksOut always comes up as blank.</P> Fri, 24 Apr 2015 18:07:34 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-searches-by-different-field-names/m-p/165672#M47097 akhanVG 2015-04-24T18:07:34Z https://community.splunk.com/t5/Splunk-Search/Join-two-searches-by-different-field-names/m-p/165673#M47098 <P>If this works for you, please click "Accept Answer"...</P> <PRE><CODE>index="ecom" eventName=pageLoad | regex referrer="^http://www.example.com/these-files/*" | rex field=referrer "(?.*?)?" | rex field=new_referrer mode=sed "s/^http://www.example.com/ /g" | stats count as pageViews, count(eval(new_referrer="*")) as clicksOut by currentPage | fillnull value=0 pageViews clicksOut </CODE></PRE> Fri, 24 Apr 2015 18:54:12 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-searches-by-different-field-names/m-p/165673#M47098 masonmorales 2015-04-24T18:54:12Z