Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is join order important ?

avdbsql
Engager
‎04-16-2015 08:04 AM

Could someone explain why I have this kind of difference?
index=data sourcetype=st1 num=10 --> gives 2 results
index=data sourcetype=st2 num=10 --> gives 10 results

When I tried a join between st1 (first) and st2, I've got 2 results :
index=data sourcetype=st1 num=10 | join type=inner num [ search index=data sourcetype=st2 ] --> gives 2 results

When I tried a join between st2 (first) and st1, I've got 10 results :
index=data sourcetype=st2 num=10 | join type=inner num [ search index=data sourcetype=st1 ] --> gives 10 results

I heard that join is similar to SQL join but doesn't look that it works the same way. Any ideas?

Tags (3)
Reply

ngatchasandra
Builder
‎04-16-2015 08:26 AM

Hi,
Join order have effect,

when you write index=data sourcetype=st1 num=10 | join type=inner num [ search index=data sourcetype=st2 ] and obtain 2 results ,is because the results of index=data sourcetype=st1 num=10 who is 10 is join with results from search search index=data sourcetype=st2 on value field type=inner and field num. This returns 2 results because there is 2 correspondence between the two search on type=inner num fields. This is normal that you obtained 2 results.

Thus, in the second case, is the same thing, because the first search is return 10 results who will join with results of second search . This returns 10 results because there is 10 correspondence between the two search on type=inner num fields.

This means that Join do correspondence between results of two search in both case.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-16-2015 08:24 AM

Yes, join order is important. Join type is also important. In an inner join, events from the main search are included only if they match an event from the subsearch. That is why you see the results you do. An outer join returns all events from both searches.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...