Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Join Command to compare 2 fields as a basis of comparison?

SplunkDash
Motivator
‎08-07-2023 11:27 AM

Hello,

How can we use 2 Fields to compare in Join Command. I have lookup table with tix1, tix2, tx3, and tx4 fields ; I also have index with tix1, tix2, ix3, and ix4 fields. How to use join command using tix1 and tix2 fields as a basis of comparison. It is working well when I use tix1 or tix2 fields as a basis for comparison. But it doesn't work when I use both tix1 and tix2. Any recommendation will be highly appreciated. Thank you!

Here is what I did with one field and working as expected

 |inputlookup x_account.csv 

| search tix2  IN(03,05)

| table tix1, tix2, tx3, and tx4

| join type=left tix1

[search index=idx_Account sourcetype="idx:events" tix2  IN(03,05)  |table Stix1, tix2, ix3, and ix4 ] 

 

But need to use:

|inputlookup x_account.csv 

| search tix2  IN(03,05)

| table tix1, tix2, tx3, and tx4

| join type=left tix1 tix2

[search index=idx_Account sourcetype="idx:events" tix2  IN(03,05)  |table Stix1, tix2, ix3, and ix4 ] 

 

 

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-07-2023 03:54 PM

How big is your join dataset? Join has limitations (max 50,000 events in the join dataset) and writing the search this way round is typically the wrong way round - you would usually search the index, then lookup the index data to get the related lookup data.

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-07-2023 02:55 PM

Joining with more than one field does work, but perhaps not in the way you expect - please can you give some examples of the rows you have in your look up table and the events you expect them to join with, particularly for event you say it isn't working?

0 Karma
Reply

SplunkDash
Motivator
‎08-08-2023 01:12 PM

Hello @ITWhisperer and @bowesmana 

Volume of data around 25K events, so we should be fine based on your number. Regarding content of the fields

 

 tix1     tix2

010     9810!MA909

010     950021Q608

091    89120985A9

087   10982101B9

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-08-2023 03:27 PM

Can you give an example of the events which aren't being joined as you expect?

0 Karma
Reply

SplunkDash
Motivator
‎08-08-2023 04:10 PM

Hello @ITWhisperer,

Thank you so much for your quick response. I got an idea to get these issues resolved.

Here is what I did:

|inputlookup x_account.csv 

| search tix2  IN(03,05)| eval  con2field=tix1 + tix2

| table tix1, tix2, tx3, tx4, con2field

| join type=left con2field

[search index=idx_Account sourcetype="idx:events" tix2  IN(03,05)  | eval  con2field=tix1 + tix2 |table Stix1, tix2, ix3, ix4, con2field

 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...