https://community.splunk.com/t5/Splunk-Search/left-join-multivalue/m-p/287053#M86893 <P>Then use mvexpand first, then join, then back to multivalue by using stats values or something similar.</P> <P>Or use one of the join alternatives I linked in my previoius answers. It'll be a bit more complicated to implement but it will be faster</P> Fri, 29 Jul 2016 13:03:26 GMT javiergn 2016-07-29T13:03:26Z https://community.splunk.com/t5/Splunk-Search/left-join-multivalue/m-p/287049#M86889 <P>hi,</P> <P>i try to use left join to match between two index.</P> <PRE><CODE>index="myfirst_Index" | rex max_match=0 field=multivalued_field "(.*?)(GET|POST)(?(.*?))$" |join type=left URL1 [|search index=mysecond_index |eval URL1=URL |fields URL1 element1] | table multivalued_field URL1 element1 </CODE></PRE> <P>when multivalued_field contain only one value the join work fine and i obtain what i need on element1, but when i have multi value no match found.</P> <P>how can i do to correct my request ?</P> <P>thx</P> Fri, 29 Jul 2016 12:15:23 GMT https://community.splunk.com/t5/Splunk-Search/left-join-multivalue/m-p/287049#M86889 sfatnass 2016-07-29T12:15:23Z https://community.splunk.com/t5/Splunk-Search/left-join-multivalue/m-p/287050#M86890 <P>Hi, could you modify your question and include the query between code labels?<BR /> Otherwise when you post that it'll trim special HTML characters.</P> Fri, 29 Jul 2016 12:20:02 GMT https://community.splunk.com/t5/Splunk-Search/left-join-multivalue/m-p/287050#M86890 javiergn 2016-07-29T12:20:02Z https://community.splunk.com/t5/Splunk-Search/left-join-multivalue/m-p/287051#M86891 <P>You could try to expand your multivalued field before the join:</P> <PRE><CODE>index="myfirst_Index" | rex max_match=0 field=multivalued_field "(.?)(GET|POST)(?(.?))$" | mvexpand URL1 | join type=left URL1 [|search index=mysecond_index |eval URL1=URL |fields URL1 element1] | table multivalued_field URL1 element1 </CODE></PRE> <P>Careful when using join though (performance, limits in outputs, etc).<BR /> See the following answers:</P> <P><A href="https://answers.splunk.com/answers/221304/alternatives-to-join-with-two-matching-event-field.html">https://answers.splunk.com/answers/221304/alternatives-to-join-with-two-matching-event-field.html</A><BR /> <A href="https://answers.splunk.com/answers/387510/what-are-alternatives-to-using-the-join-command-fo.html">https://answers.splunk.com/answers/387510/what-are-alternatives-to-using-the-join-command-fo.html</A><BR /> <A href="https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html">https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html</A></P> <P>Thanks,<BR /> J</P> Fri, 29 Jul 2016 12:22:06 GMT https://community.splunk.com/t5/Splunk-Search/left-join-multivalue/m-p/287051#M86891 javiergn 2016-07-29T12:22:06Z https://community.splunk.com/t5/Splunk-Search/left-join-multivalue/m-p/287052#M86892 <P>your solution not help me really i have to conserve URL1 like multivalue, because i need to get element1 like multivalued field.<BR /> otherwise if i use lookup and not index for mysecond_index how can i do?</P> Fri, 29 Jul 2016 12:41:30 GMT https://community.splunk.com/t5/Splunk-Search/left-join-multivalue/m-p/287052#M86892 sfatnass 2016-07-29T12:41:30Z https://community.splunk.com/t5/Splunk-Search/left-join-multivalue/m-p/287053#M86893 <P>Then use mvexpand first, then join, then back to multivalue by using stats values or something similar.</P> <P>Or use one of the join alternatives I linked in my previoius answers. It'll be a bit more complicated to implement but it will be faster</P> Fri, 29 Jul 2016 13:03:26 GMT https://community.splunk.com/t5/Splunk-Search/left-join-multivalue/m-p/287053#M86893 javiergn 2016-07-29T13:03:26Z https://community.splunk.com/t5/Splunk-Search/left-join-multivalue/m-p/287054#M86894 <P>the request using stats don't work </P> Fri, 29 Jul 2016 13:10:14 GMT https://community.splunk.com/t5/Splunk-Search/left-join-multivalue/m-p/287054#M86894 sfatnass 2016-07-29T13:10:14Z