https://community.splunk.com/t5/Splunk-Search/How-to-join-two-sources-based-on-two-search-fields/m-p/255300#M76453 <P>I have two sets of data:<BR /> 1. sourcetype=app "DEBUG A" function=UpdateCartItemStatus status=Rejected<BR /> 2. sourcetype=app "DEBUG B" function=UpdateCartItemStatus</P> <P>Set 1 (DEBUG A) also has the fields unitID1, unitID2, and user1<BR /> Set 2 (DEBUG B) also has the fields unitID1, unitID2, and user2</P> <P>I would like to join data set 1 with data set 2 on unitID1 and unitID2 and get a count of the number of instances this occurs per user2. Ideally this would be as efficient as possible as the data sources are large, searches can span long periods of time, and they are constantly being refreshed. A join is not required, it was just the first thing I thought of. </P> <P>I am using the dashboard editor for Splunk Enterprise. </P> Wed, 02 Dec 2015 19:14:22 GMT vmnguyen 2015-12-02T19:14:22Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-sources-based-on-two-search-fields/m-p/255300#M76453 <P>I have two sets of data:<BR /> 1. sourcetype=app "DEBUG A" function=UpdateCartItemStatus status=Rejected<BR /> 2. sourcetype=app "DEBUG B" function=UpdateCartItemStatus</P> <P>Set 1 (DEBUG A) also has the fields unitID1, unitID2, and user1<BR /> Set 2 (DEBUG B) also has the fields unitID1, unitID2, and user2</P> <P>I would like to join data set 1 with data set 2 on unitID1 and unitID2 and get a count of the number of instances this occurs per user2. Ideally this would be as efficient as possible as the data sources are large, searches can span long periods of time, and they are constantly being refreshed. A join is not required, it was just the first thing I thought of. </P> <P>I am using the dashboard editor for Splunk Enterprise. </P> Wed, 02 Dec 2015 19:14:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-sources-based-on-two-search-fields/m-p/255300#M76453 vmnguyen 2015-12-02T19:14:22Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-sources-based-on-two-search-fields/m-p/255301#M76454 <P>Try this?</P> <PRE><CODE>search for set 1 data | eval unit=unitd1."::::".unitd2 | append [search for set 2 data | eval unit=unitd1."::::".unitd2] | chart limit=0 count by unit over user </CODE></PRE> Wed, 02 Dec 2015 19:33:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-sources-based-on-two-search-fields/m-p/255301#M76454 sundareshr 2015-12-02T19:33:59Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-sources-based-on-two-search-fields/m-p/255302#M76455 <P>Hm...let me clarify:</P> <P>Datapoints:</P> <OL> <LI>sourcetype=app "DEBUG A" function=UpdateCartItemStatus status=Rejected unitID1=1008908999 unitID2 = front user=john</LI> <LI>sourcetype=app "DEBUG A" function=UpdateCartItemStatus status=Rejected unitID1=1008908999 unitID2 = back user=john</LI> <LI>sourcetype=app "DEBUG B" function=UpdateCartItemStatus status=Printed unitID1=1008908999 unitID2 = front user=mary</LI> <LI>sourcetype=app "DEBUG B" function=UpdateCartItemStatus status=Printed unitID1=1008908999 unitID2 = back user=mary</LI> </OL> <P>I want to count how many times Mary updated the status as "Printed" and DEBUG A reported that it was Rejected. The output should have a count of 2 for user=Mary. <BR /> Thus, I want to link datapoint 3 to datapoint 1 on and datapoint 4 to datapoint 2 using unitID1 and unitID2. </P> Wed, 02 Dec 2015 21:02:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-sources-based-on-two-search-fields/m-p/255302#M76455 vmnguyen 2015-12-02T21:02:25Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-sources-based-on-two-search-fields/m-p/255303#M76456 <P>will the <CODE>unitid</CODE> be the same for all (1008908999). how did you know that 3 should be liked to 1?</P> Wed, 02 Dec 2015 21:24:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-sources-based-on-two-search-fields/m-p/255303#M76456 sundareshr 2015-12-02T21:24:07Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-sources-based-on-two-search-fields/m-p/255304#M76457 <P>Yes, all four of those datapoints would have the same unitID1, but there are millions of datapoints with different unitIDs. We know 3 should be linked to 1 because they share the same unitID1 and unitID2. </P> Wed, 02 Dec 2015 21:34:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-sources-based-on-two-search-fields/m-p/255304#M76457 vmnguyen 2015-12-02T21:34:19Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-sources-based-on-two-search-fields/m-p/255305#M76458 <P>How about this</P> <PRE><CODE>search to get all data using append | transaction unitID2 unitID1 startswith="debug=A" endswith="debug=B" maxevents=2 keepevicted=f </CODE></PRE> <P>The <CODE>transaction</CODE> command has a few more options you can explore</P> Wed, 02 Dec 2015 21:36:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-sources-based-on-two-search-fields/m-p/255305#M76458 sundareshr 2015-12-02T21:36:42Z