Archive
Highlighted

Is there any alternate for JOIN

Explorer

Hi,

I'm having problems while joining the queries.

I have the logs in same index and application but logging in different lines. I need to join 4 queries to join 4 fields.
Ex: Fields are StundentNumber, major,subjects,marks(failed), marks(pass) marks
I have above fields in different lines but index is same, but every where i have Student Number. So, I'm joining these fields using the StudentNumber, which required 4 joins for desired result.

Is there any alternate way to combine this information and get the details without using Join.

Tags (1)
0 Karma
Highlighted

Re: Is there any alternate for JOIN

SplunkTrust
SplunkTrust

Please give us an example query that gets you each kind of record. Also, a non-confidential example of the data and the output you expect/hope for.

0 Karma
Highlighted

Re: Is there any alternate for JOIN

Legend

Is this your homework? If not, then please give us your example query and maybe some scrubbed sample data.
If it is your homework, then I suggest that you do a Google/Bing/Yahoo search for "Splunk avoid join" and read the top 5-10 hits.
For more information, you could start with this one:
https://answers.splunk.com/answers/387510/what-are-alternatives-to-using-the-join-command-fo.html

0 Karma
Highlighted

Re: Is there any alternate for JOIN

Legend

Splunk documentation for join contains alternatives with use cases as well: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join#Alternative_commands

You can also refer to http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation or Nick Mealy's .conf presentation for the same http://conf.splunk.com/sessions/2016-sessions.html#search=Let%20Stats%20Sort%20Them%20Out&.

Like DalJeanis and lguinn have mentioned, we could be more helpful if you can add more details. Mock events, query expected output.




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Is there any alternate for JOIN

Super Champion

The best alternate to join, in my opinion, is statsif you can make it work. if you can do a values, latest or max by the unique field in all events, stats should generally work. However, append is another great option but has it's limitations, as does everything.

if you can't get one of those options to work, can we have some more information about the dataset itself?

0 Karma