How do I make an "inner join" in Splunk for this SQL query?
INNER JOIN table2
It goes something like this:
source=table1 | JOIN type=inner id [ SEARCH source=table2 | rename user_id AS id ]
You might find this document helpful: Splunk for SQL users
I'm new using Splunk.
Is "source" the same as a "host"?
Or how can I create tables?
Source and host are not the same. Source is the file containing the event (data) whereas host is the computer containing the source. You might want to check out the Splunk Tutorial (http://www.splunk.com/view/SP-CAAAH9U).
Splunk doesn't have "tables". It is not a database. Data is stored in indexes. Each entry in an index is an 'event'. Events typically contain a number of 'fields'. What constitutes a field depends on the type of event.
To create an index, go to Settings->Indexes and click the New Index button (you must be an admin to do this). Once you've created an index, you can then add data to it by selecting Settings->Add Data.
Thank you. It worked. 🙂
Please accept the answer.