Splunk Search

Is there any alternate for JOIN

greeshmak
Explorer

Hi,

I'm having problems while joining the queries.

I have the logs in same index and application but logging in different lines. I need to join 4 queries to join 4 fields.
Ex: Fields are StundentNumber, major,subjects,marks(failed), marks(pass) marks
I have above fields in different lines but index is same, but every where i have Student Number. So, I'm joining these fields using the StudentNumber, which required 4 joins for desired result.

Is there any alternate way to combine this information and get the details without using Join.

Tags (1)
0 Karma

cmerriman
Super Champion

The best alternate to join, in my opinion, is statsif you can make it work. if you can do a values, latest or max by the unique field in all events, stats should generally work. However, append is another great option but has it's limitations, as does everything.

if you can't get one of those options to work, can we have some more information about the dataset itself?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Please give us an example query that gets you each kind of record. Also, a non-confidential example of the data and the output you expect/hope for.

0 Karma

lguinn2
Legend

Is this your homework? If not, then please give us your example query and maybe some scrubbed sample data.
If it is your homework, then I suggest that you do a Google/Bing/Yahoo search for "Splunk avoid join" and read the top 5-10 hits.
For more information, you could start with this one:
https://answers.splunk.com/answers/387510/what-are-alternatives-to-using-the-join-command-fo.html

0 Karma

niketn
Legend

Splunk documentation for join contains alternatives with use cases as well: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join#Alternative_commands

You can also refer to http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation or Nick Mealy's .conf presentation for the same http://conf.splunk.com/sessions/2016-sessions.html#search=Let%20Stats%20Sort%20Them%20Out&.

Like DalJeanis and lguinn have mentioned, we could be more helpful if you can add more details. Mock events, query expected output.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...