Solved: Join 2 query based on common column

priya0709 · ‎08-17-2020

How can i join two query table based on common column ( host), but i want to display all columns from 1st table but just 1 column ( Incident column) from 2nd table??

to4kawa · ‎08-18-2020

query 1
| join Host [ query2]
| table Host, Time, Eventcode, Message, Incident

this is too slow , but it will work.

View solution in original post

to4kawa · ‎08-17-2020

What's the two queries and logs?

priya0709 · ‎08-18-2020

Query 1 displays ( Host, Time, Eventcode, Message)

Query 2 displays ( subject, Host, Incident)

i want to all match hosts in both column and based on that join the querys to display ( Host, Time, Eventcode, Message, incident)

to4kawa · ‎08-18-2020

query 1
| join Host [ query2]
| table Host, Time, Eventcode, Message, Incident

this is too slow , but it will work.

priya0709 · ‎08-18-2020

This worked but it is not displaying Host from query 1 even if it doesnt find any host in query 2??

my requirment is to match host but also display all output fro. Query 1??

to4kawa · ‎08-18-2020

please modify join option.

Join 2 query based on common column

troubleshooting

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!