I'm having problems while joining the queries.
I have the logs in same index and application but logging in different lines. I need to join 4 queries to join 4 fields.
Ex: Fields are StundentNumber, major,subjects,marks(failed), marks(pass) marks
I have above fields in different lines but index is same, but every where i have Student Number. So, I'm joining these fields using the StudentNumber, which required 4 joins for desired result.
Is there any alternate way to combine this information and get the details without using Join.
Is this your homework? If not, then please give us your example query and maybe some scrubbed sample data.
If it is your homework, then I suggest that you do a Google/Bing/Yahoo search for "Splunk avoid join" and read the top 5-10 hits.
For more information, you could start with this one:
Splunk documentation for join contains alternatives with use cases as well: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join#Alternative_commands
You can also refer to http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation or Nick Mealy's .conf presentation for the same http://conf.splunk.com/sessions/2016-sessions.html#search=Let%20Stats%20Sort%20Them%20Out&.
Like DalJeanis and lguinn have mentioned, we could be more helpful if you can add more details. Mock events, query expected output.
The best alternate to
join, in my opinion, is
statsif you can make it work. if you can do a
max by the unique field in all events, stats should generally work. However,
append is another great option but has it's limitations, as does everything.
if you can't get one of those options to work, can we have some more information about the dataset itself?