Solved: Search result in Join Not returning all the result...

karunagaraprabh · ‎01-06-2021

i have two queries where each queries return two rows as result . I am join two queries using left join which have common field as customerjobid. when i run the quires, the result set fetch only second quires result of first row.

scelikok · ‎01-06-2021

Hi @karunagaraprabh ,

join command joins only first event on subsearch results that each main search result can join as default. You should use "max" parameter to match more results.

| join CustomerjobId type=left max=2

You can find more info about "max" parameter below;

https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Join#Optional_arguments

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok · ‎01-06-2021

Hi @karunagaraprabh ,

join command joins only first event on subsearch results that each main search result can join as default. You should use "max" parameter to match more results.

| join CustomerjobId type=left max=2

You can find more info about "max" parameter below;

https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Join#Optional_arguments

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Search result in Join Not returning all the result in second result set

Unleash Unified Security and Observability with Splunk Cloud Platform

Enterprise Security Content Update (ESCU) | New Releases

Join the Splunk Developer Program Hackathon: Splunk Build-a-thon!