https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-combine-3-searches-with-JOIN/m-p/231261#M68594 <P>In my case data will be like first two will have same details like IP, ID, etc... and third part won't have IP but have ID and all index &amp; sourcetypes are same. So want to join the third par with 2nd part based on ID field as common and have to combine the result with 1st part based on IP field as common.</P> <P>I already tried with <CODE>index=a |join ipaddress [search index=b |table ipaddress uniqueId ]| join uniqueId [search index=c|table uniqueId sample]|stats values(uniqueId) by ipaddress</CODE> and <CODE>index=a |join ipaddress [search index=b |table ipaddress uniqueId | join uniqueId [search index=c|table uniqueId sample]]|stats values(uniqueId) by ipaddress</CODE> but the second part values are not populating</P> Fri, 07 Oct 2016 03:19:16 GMT kamaleshwarn 2016-10-07T03:19:16Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-combine-3-searches-with-JOIN/m-p/231258#M68591 <P>Have question like how to join 3 subsearches, usually we can join the searches with similar field (ex: join samplefield [....). But here the scenario is bit different like below</P> <PRE><CODE>index=* (search cmd) | join ipaddress [ search index=* ipaddress uniqueID....| join uniqueID [search index=* uniqueID sample....]] | stats values(uniqueID) BY ipaddress </CODE></PRE> <P>Is there any possibility to join like above scenario.. Thanks in advance</P> Wed, 05 Oct 2016 10:40:20 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-combine-3-searches-with-JOIN/m-p/231258#M68591 kamaleshwarn 2016-10-05T10:40:20Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-combine-3-searches-with-JOIN/m-p/231259#M68592 <P>Technically, it is possible, but there could be a better way to achieve this. Could you please provide more details on what you're trying to achieve, how your data looks like from all three searches etc? Joins are expensive and should be avoided wherever possible.</P> Wed, 05 Oct 2016 17:15:46 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-combine-3-searches-with-JOIN/m-p/231259#M68592 somesoni2 2016-10-05T17:15:46Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-combine-3-searches-with-JOIN/m-p/231260#M68593 <P>I agree with somesoni2. If you have 3 indexes/sourcetypes that all have the same joining field, you can do a <CODE>index=a OR index=b OR index=c|stats values(d) by commonField</CODE><BR /> to join them all together. </P> <P>However, there are cases where you have to join c to b and b to a because a and c do not have a common field to join on. I run into this in one of my reports. </P> <P>this examples as a join inside of a join</P> <PRE><CODE>index=a |join ipaddress [search index=b |table ipaddress uniqueId | join uniqueId [search index=c|table uniqueId sample]]|stats values(uniqueId) by ipaddress </CODE></PRE> <P>or this joins them separately</P> <PRE><CODE>index=a |join ipaddress [search index=b |table ipaddress uniqueId ]| join uniqueId [search index=c|table uniqueId sample]|stats values(uniqueId) by ipaddress </CODE></PRE> Thu, 06 Oct 2016 15:59:17 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-combine-3-searches-with-JOIN/m-p/231260#M68593 cmerriman 2016-10-06T15:59:17Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-combine-3-searches-with-JOIN/m-p/231261#M68594 <P>In my case data will be like first two will have same details like IP, ID, etc... and third part won't have IP but have ID and all index &amp; sourcetypes are same. So want to join the third par with 2nd part based on ID field as common and have to combine the result with 1st part based on IP field as common.</P> <P>I already tried with <CODE>index=a |join ipaddress [search index=b |table ipaddress uniqueId ]| join uniqueId [search index=c|table uniqueId sample]|stats values(uniqueId) by ipaddress</CODE> and <CODE>index=a |join ipaddress [search index=b |table ipaddress uniqueId | join uniqueId [search index=c|table uniqueId sample]]|stats values(uniqueId) by ipaddress</CODE> but the second part values are not populating</P> Fri, 07 Oct 2016 03:19:16 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-combine-3-searches-with-JOIN/m-p/231261#M68594 kamaleshwarn 2016-10-07T03:19:16Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-combine-3-searches-with-JOIN/m-p/231262#M68595 <P>As pointed out above, there should be a better way to make your query than using multiple joins. However, it is possible. Here is an example query with four joins, with real data names redacted:</P> <PRE><CODE>| pivot sdl s count(s) AS acr FILTER acrs is true | join [| pivot sdl s count(s) AS ncfs FILTER ucfs is true] | join [| pivot sdl s count(s) AS ucfs FILTER ucfsn is true] | join [| pivot sdl s count(s) AS dnds FILTER dndsn is true FILTER dnde is false] | join [| pivot sdl s count(s) AS dnde FILTER dndsn is true FILTER dnde is true] | eval ft="acr ncf ucf dnd" | makemv ft | mvexpand ft | eval so=case(ft=="acr", acr,ft="ncf", ncfs,ft="ucf",ucfs, ft="dnd", dnds) | eval enabled=case(ft=="acr", acre, ft="ncf", ncf_Enabled, ft="ucf", ucf_Enabled, ft="dnd", dnde) | fields ft,so,enabled </CODE></PRE> Fri, 07 Oct 2016 08:41:27 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-combine-3-searches-with-JOIN/m-p/231262#M68595 bhawkins1 2016-10-07T08:41:27Z