Hi,
I'm having problems while joining the queries.
I have the logs in same index and application but logging in different lines. I need to join 4 queries to join 4 fields.
Ex: Fields are StundentNumber, major,subjects,marks(failed), marks(pass) marks
I have above fields in different lines but index is same, but every where i have Student Number. So, I'm joining these fields using the StudentNumber, which required 4 joins for desired result.
Is there any alternate way to combine this information and get the details without using Join.
The best alternate to join
, in my opinion, is stats
if you can make it work. if you can do a values
, latest
or max
by the unique field in all events, stats should generally work. However, append
is another great option but has it's limitations, as does everything.
if you can't get one of those options to work, can we have some more information about the dataset itself?
Please give us an example query that gets you each kind of record. Also, a non-confidential example of the data and the output you expect/hope for.
Is this your homework? If not, then please give us your example query and maybe some scrubbed sample data.
If it is your homework, then I suggest that you do a Google/Bing/Yahoo search for "Splunk avoid join" and read the top 5-10 hits.
For more information, you could start with this one:
https://answers.splunk.com/answers/387510/what-are-alternatives-to-using-the-join-command-fo.html
Splunk documentation for join contains alternatives with use cases as well: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join#Alternative_commands
You can also refer to http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation or Nick Mealy's .conf presentation for the same http://conf.splunk.com/sessions/2016-sessions.html#search=Let%20Stats%20Sort%20Them%20Out&.
Like DalJeanis and lguinn have mentioned, we could be more helpful if you can add more details. Mock events, query expected output.