Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to join 2 search

supriyagaw08
Explorer
‎12-11-2020 03:04 AM

Hello all,

I want to join 2 search based upon one common filed from both the search , 

index=14 search_name="Daily Counts" |rename A_USER_NM as USER_NM|table Date USER_NM FILE_ID FILE_NM filecount| join USER_NM
[ search index=14 earliest=-24h@h latest=now sourcetype=user source=O  001
| dedup USER_NM
| table USER_NM USER_ID indicator ]

I tried above search its working but its not displaying all results, few records are getting missed, let me know where am I making mistake or any other method that i can use.

Tags (1)
0 Karma
Reply

nickhills
Ultra Champion
‎12-11-2020 03:22 AM

A direct answer to the question using join:

 

index=14 search_name="Daily Counts" 
|rename A_USER_NM as USER_NM
|table Date USER_NM FILE_ID FILE_NM filecount
| join type=left max=0 USER_NM
[ search index=14 earliest=-24h@h latest=now sourcetype=user source=O  001
| dedup USER_NM
| table USER_NM USER_ID indicator ]

 

I am unclear if  the dedup in the subsearch is necessary if you are missing results?

However, there are normally better/more efficient ways of obtaining the same results with stats, but it might help to see some sample data to provide you with a stats example

If my comment helps, please give it a thumbs up!
0 Karma
Reply

supriyagaw08
Explorer
‎12-11-2020 03:37 AM

HI @nickhills  thanks for the reply but i used this and its showing the fileds USER_ID indicator as blanks even i remove dedup.

The output from my search 1 is Date| A_USER_NM| FILE_ID FILE_NM |filecount and output 2 has many fields from which i want only USER_ID and indicator. Both search has common index but different search reports

0 Karma
Reply

nickhills
Ultra Champion
‎12-11-2020 03:52 AM

That would suggest the second search is not finding any matches.  Are you sure that USER_NM is the correct field to match on (does it also need renaming perhaps?)

If you just run your second search, do you see results for USER_NM and USER_ID in the same rows?

If my comment helps, please give it a thumbs up!
0 Karma
Reply

supriyagaw08
Explorer
‎12-15-2020 12:37 AM

Hi @nickhills thanks for your help the issue was with search 2 it was not giving complete search I was looking for , fixed that and issue was resolved.

Reply

supriyagaw08
Explorer
‎12-11-2020 04:01 AM

@nickhills user_nm is correct common field between 2 search, also yes in output of second search USER_NM and USER_ID are in same row

0 Karma
Reply

nickhills
Ultra Champion
‎12-11-2020 04:09 AM

Just because you wrote "user_nm" (and this may be a silly question) do both search results have the field USER_NM in upper case? Fieldnames (in the join) would be case sensitive.

From what you are saying, it sounds like the search should work. Are you able to provide a screenshot (with redactions etc) of all the searches?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...