Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Append more 50k or other soluction like a join

Michell_ctba
Explorer
‎01-19-2021 07:40 AM

Hello community. I am not able to perform a sub-search between 2 sourcetypes. The 'drm' sourcetype has 5 million events and I need to sub-search an sourcetype with 2 million events (drm_tuser). I tried with the join and append command followed by stats but I am not able to accomplish this task. Here is an example:

userId is a common field between sourcetypes.

index="ott" sourcetype="drm"

| append
[ search index=ott sourcetype=drm_tuser earliest=1]

| stats dc(sourcetype) as sourcetype values(retailerUserId) as retailerUserId values(bitrate) as bitrate by userId

Append use limit of 50k results in limits.conf, but I would not like to change the limits.conf so any other solution would be ideal


Tanks for help

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-19-2021 10:01 AM

Consider converting the drm_tuser sourcetype into a lookup table.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-19-2021 08:25 AM

Hi @Michell_ctba,

why do you want to use append? you don't need it, you can use OR!

Try something like this:

index="ott" (sourcetype="drm" OR sourcetype=drm_tuser)
| stats dc(sourcetype) as sourcetype values(retailerUserId) as retailerUserId values(bitrate) as bitrate by userId

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...