Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

2 index join not working

Laxman24
Explorer
‎11-01-2020 10:24 AM

Hi All,

I need some advice or help,

so I have 2 index I'd like to join but it seems not working as I expected :

index a

nameinfo
person1aa-bb-cc
person2bb-cc-dd
person3cc-dd-ee
thing1dd-ee-ff

 

index b

identifiernote
aabbccthis is good
bbccddthis is bad
ccddeethis is good

 

Id like to make the result below

nameinfonote
person1aa-bb-ccthis is good
person2bb-cc-ddthis is bad
person3cc-dd-eethis is good

 

What I currently have  is:

index=a 
| search name=person*
| eval identifier=replace(info, "-","")
| join type=outer identifier [search index=b]
| table name info note

 

But I still find the result "note" field is empty/null

did I miss something in this search  ?

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-01-2020 10:59 AM

Try without using join

index=a OR index=b
| eval identifier=if(isnull(identifier),replace(info, "-",""),identifier)
| stats values(*) as * by identifier
| search name=person*
| table name info note
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...