https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193403#M55659 <P>I think I may be looking at a MySQL database. Some of the standard SQL commands give me errors and it even says things about MySQL.</P> Tue, 12 May 2015 17:50:51 GMT dbrewerton 2015-05-12T17:50:51Z https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193395#M55651 <P>Hey folks, I am new here and glad to find this useful resource. I have four tables that I am trying to create a join to make the information cohesive across all four. My schema is like this:</P> <P>devmacs<BR /> - macaddr<BR /> - mac_id</P> <P>macport<BR /> - macportid<BR /> - portname</P> <P>devs<BR /> - officeid<BR /> - routername<BR /> - mac<BR /> - ip</P> <P>offices<BR /> - officeid<BR /> - officename</P> <P>Now, what I am trying to do is connect all of these up in the following ways:</P> <P>devmacs.mac_id joins to macport.macportid<BR /> devmacs.mac joins to devs.mac<BR /> devmacs.officeid joins to offices.officeid</P> <P>I want to present my table data like so:</P> <P>devmacs.macaddr, macport.portname, devs.routername, devs.ip, offices.officename</P> <P>If this were all SQL server query, I would probably have no trouble. The issue I have is getting used to how Splunk queries actually work using the dbconnect part of Splunk. Any help would be most appreciated and thank you.</P> Tue, 12 May 2015 12:38:04 GMT https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193395#M55651 dbrewerton 2015-05-12T12:38:04Z https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193396#M55652 <P>You mention "tables" and "db connect". Is your data in Splunk or in a SQL database? If the latter then it's just a matter of creating an external database connection and using DB Connect to run a SQL query.</P> Tue, 12 May 2015 13:56:45 GMT https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193396#M55652 richgalloway 2015-05-12T13:56:45Z https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193397#M55653 <P>Sorry, I was trying to establish a baseline of what my competency level is. I heard that DB Connect is much like using SQL query language.</P> Tue, 12 May 2015 16:43:11 GMT https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193397#M55653 dbrewerton 2015-05-12T16:43:11Z https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193398#M55654 <P>Read this ! It may be the quickest way to get where you want to be: <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/SQLtoSplunk">http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/SQLtoSplunk</A></P> <P>Secondly, if you post a few sample events, people will be able to help you much more easily. </P> <P>If those linked fields, e.g. office id, are very static, you may want to consider using a lookup table to connect these fields... If you did that, you'd be able to just use <CODE>table</CODE> to get that output. </P> Tue, 12 May 2015 16:51:32 GMT https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193398#M55654 aljohnson_splun 2015-05-12T16:51:32Z https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193399#M55655 <P>Give me the SQL and I will convert to SPL.</P> Tue, 12 May 2015 16:55:29 GMT https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193399#M55655 woodcock 2015-05-12T16:55:29Z https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193400#M55656 <P>Ok I think this should give me what I am looking for.</P> <PRE><CODE>SELECT dm.macaddr, dm.mac_id, mp.macportid, mp.portname, dv.officeid, dv.routername, dv.mac, dv.ip, off.officeid, off.officename from devmacs dm, macport mp, devs dv, offices off INNER JOIN macport on dv.mac_id = mp.macportid INNER JOIN devmacs on dm.mac = dv.mac INNER JOIN offices ON dv.officeid = off.officeid; </CODE></PRE> Tue, 12 May 2015 17:15:41 GMT https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193400#M55656 dbrewerton 2015-05-12T17:15:41Z https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193401#M55657 <P>If I understand you correctly, this is your situation:</P> <PRE><CODE>sourcetype devmacs has fields {macaddr,mac_id} sourceytpe macport has fields {macportid,portname} sourcetype devs has fields {officeid,routername,mac,ip} sourcetype offices has fields {officeid,officename} </CODE></PRE> <P>If that is correct, then these are your base searches to do the "joins" (without using "join", which is problematic):<BR /> <CODE>devmacs.mac_id joins to macport.macportid</CODE>:</P> <PRE><CODE>sourcetype=devmacs OR sourcetype=macport | eval comboID=coalesce(devmacs,macport) | eventstats dc(sourcetype) AS sourcetypes by comboID | search sourcetypes&amp;gt;=2 </CODE></PRE> <P><CODE>devmacs.mac joins to devs.mac</CODE>:</P> <PRE><CODE> sourcetype=devmacs OR sourcetype=devs | eventstats dc(sourcetype) AS sourcetypes by mac | search sourcetypes&amp;gt;=2 </CODE></PRE> <P><CODE>devmacs.officeid joins to offices.officeid</CODE>:</P> <PRE><CODE> sourcetype=devmacs OR sourcetype=officeid | eventstats dc(sourcetype) AS sourcetypes by officeid | search sourcetypes&amp;gt;=2 </CODE></PRE> <P>As far as the rest, I do not understand what you are trying to do but this should get you almost there.</P> Tue, 12 May 2015 17:24:41 GMT https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193401#M55657 woodcock 2015-05-12T17:24:41Z https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193402#M55658 <P>DB Connect is used to extract data from an SQL database into Splunk. Using DB Connect will feel familiar to SQL users.<BR /> If your data is already in Splunk, however, DB Connect is not the answer.</P> Tue, 12 May 2015 17:47:33 GMT https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193402#M55658 richgalloway 2015-05-12T17:47:33Z https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193403#M55659 <P>I think I may be looking at a MySQL database. Some of the standard SQL commands give me errors and it even says things about MySQL.</P> Tue, 12 May 2015 17:50:51 GMT https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193403#M55659 dbrewerton 2015-05-12T17:50:51Z https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193404#M55660 <P>What are some of those commands, where are you entering them, and what are the errors?</P> Tue, 12 May 2015 17:54:51 GMT https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193404#M55660 richgalloway 2015-05-12T17:54:51Z https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193405#M55661 <P>I was overthinking the situation. Thank you folks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> I did figure it out but each of you did help me on my adventure.</P> Tue, 12 May 2015 19:31:22 GMT https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193405#M55661 dbrewerton 2015-05-12T19:31:22Z https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193406#M55662 <P>Could you please share how you were able to do the task at hand. I am facing the similar issue, it would help me</P> Mon, 05 Feb 2018 12:08:38 GMT https://community.splunk.com/t5/Splunk-Search/Combining-multiple-tables-by-join-in-Splunk/m-p/193406#M55662 gangwarj 2018-02-05T12:08:38Z