topic How do I split the output of the join in Splunk in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-do-I-split-the-output-of-the-join-in-Splunk/m-p/205728#M59823 <P>I have a splunk join between a synchornous event and an asynchornous event. The only join condition between these are just a correlation id. I am able to get the join but I want to now know what are the actual reason which caused it and would like to see the part of a join . How do I do that.</P> <PRE><CODE>index=xyz platform=apns batch=496 event="NEAT-IN" | join type=outer alertId [ search index=xyz event=cloudPns* ] | stats count by responseCode </CODE></PRE> <P>Now if the responseCode is 8 then I have a problem but I want to see all the events with event=cloudPns* alone for this join condition .</P> <P>I tried where but it gave me 0 results.<BR /> what I tried is this:</P> <PRE><CODE>index=qa-speed platform=apns batch=496 event="NEAT-IN" | join type=outer alertId [ search index=qa-speed event=cloudPns* ] |search where event=cloudPns* </CODE></PRE> <P>How do I achieve this . I basically want to see the output of the right part of the join.</P> Mon, 07 Sep 2015 07:01:56 GMT arungeorge09 2015-09-07T07:01:56Z How do I split the output of the join in Splunk https://community.splunk.com/t5/Splunk-Search/How-do-I-split-the-output-of-the-join-in-Splunk/m-p/205728#M59823 <P>I have a splunk join between a synchornous event and an asynchornous event. The only join condition between these are just a correlation id. I am able to get the join but I want to now know what are the actual reason which caused it and would like to see the part of a join . How do I do that.</P> <PRE><CODE>index=xyz platform=apns batch=496 event="NEAT-IN" | join type=outer alertId [ search index=xyz event=cloudPns* ] | stats count by responseCode </CODE></PRE> <P>Now if the responseCode is 8 then I have a problem but I want to see all the events with event=cloudPns* alone for this join condition .</P> <P>I tried where but it gave me 0 results.<BR /> what I tried is this:</P> <PRE><CODE>index=qa-speed platform=apns batch=496 event="NEAT-IN" | join type=outer alertId [ search index=qa-speed event=cloudPns* ] |search where event=cloudPns* </CODE></PRE> <P>How do I achieve this . I basically want to see the output of the right part of the join.</P> Mon, 07 Sep 2015 07:01:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-split-the-output-of-the-join-in-Splunk/m-p/205728#M59823 arungeorge09 2015-09-07T07:01:56Z Re: How do I split the output of the join in Splunk https://community.splunk.com/t5/Splunk-Search/How-do-I-split-the-output-of-the-join-in-Splunk/m-p/205729#M59824 <P>Using the <EM>join</EM> command will literally <EM>join</EM> events together so you cannot then search only for part of an event. If you wanted to return the raw event from the righthand join you could maybe rename the <EM>_raw</EM> field before the join and then table it like this:</P> <PRE><CODE> index=qa-speed platform=apns batch=496 event="NEAT-IN" | join type=outer alertId [ search index=qa-speed event=cloudPns* | rename _raw AS rawEvent ] | table rawEvent </CODE></PRE> Mon, 07 Sep 2015 13:49:25 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-split-the-output-of-the-join-in-Splunk/m-p/205729#M59824 lquinn 2015-09-07T13:49:25Z