Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Append more 50k or other soluction like a join

Michell_ctba
Explorer
‎01-19-2021 07:40 AM

Hello community. I am not able to perform a sub-search between 2 sourcetypes. The 'drm' sourcetype has 5 million events and I need to sub-search an sourcetype with 2 million events (drm_tuser). I tried with the join and append command followed by stats but I am not able to accomplish this task. Here is an example:

userId is a common field between sourcetypes.

index="ott" sourcetype="drm"

| append
[ search index=ott sourcetype=drm_tuser earliest=1]

| stats dc(sourcetype) as sourcetype values(retailerUserId) as retailerUserId values(bitrate) as bitrate by userId

Append use limit of 50k results in limits.conf, but I would not like to change the limits.conf so any other solution would be ideal


Tanks for help

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-19-2021 10:01 AM

Consider converting the drm_tuser sourcetype into a lookup table.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-19-2021 08:25 AM

Hi @Michell_ctba,

why do you want to use append? you don't need it, you can use OR!

Try something like this:

index="ott" (sourcetype="drm" OR sourcetype=drm_tuser)
| stats dc(sourcetype) as sourcetype values(retailerUserId) as retailerUserId values(bitrate) as bitrate by userId

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...