Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

2 index join not working

Laxman24
Explorer
‎11-01-2020 10:24 AM

Hi All,

I need some advice or help,

so I have 2 index I'd like to join but it seems not working as I expected :

index a

nameinfo
person1aa-bb-cc
person2bb-cc-dd
person3cc-dd-ee
thing1dd-ee-ff

 

index b

identifiernote
aabbccthis is good
bbccddthis is bad
ccddeethis is good

 

Id like to make the result below

nameinfonote
person1aa-bb-ccthis is good
person2bb-cc-ddthis is bad
person3cc-dd-eethis is good

 

What I currently have  is:

index=a 
| search name=person*
| eval identifier=replace(info, "-","")
| join type=outer identifier [search index=b]
| table name info note

 

But I still find the result "note" field is empty/null

did I miss something in this search  ?

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-01-2020 10:59 AM

Try without using join

index=a OR index=b
| eval identifier=if(isnull(identifier),replace(info, "-",""),identifier)
| stats values(*) as * by identifier
| search name=person*
| table name info note
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...