- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can Splunk join on multiple columns?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can you search Splunk to return a join on 2 columns
sourcetype=test1 [search=test2 |fields col1, col2]|fields col1, col2, col3
Basically, I want something like
SELECT * from test1 join test2 on test1.col1 =test2.col1 and test1.col2 = test2.col2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to do this by specify multiple fields in Splunk's join command:
sourcetype=test1 | fields col1,col2 | join col1,col2 [search sourcetype=test2 | fields col1,col2,col3]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to achieve the same result, but when fields names are different? I have the problem to rebuild transactions from postfix/amavis logs, where the message is processed by a pipeline of different steps/processes and at a certain point, a new processing requests is queued in the pipeline. I have in an event the original "queue_id" and a new "queued_as" id, that in a next event will appear as a new "queue_id".
So I need to correlate events with a "queue_id" with events that have the same "queued_as" value.
Ideas?!?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try asking this as a new question so others can easier find and make use of it. In your case have you tried using coalesce for queue_id and queued_as fields?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try rename
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Rename
| rename original_field as "new_name"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to do this by specify multiple fields in Splunk's join command:
sourcetype=test1 | fields col1,col2 | join col1,col2 [search sourcetype=test2 | fields col1,col2,col3]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's unnecessary (and undesirable mostly) to use join if you can just use: `sourcetype=test1 [search=test2 | dedup col1 col2 | fields col1 col2]
This is basically your original search, but it should work just fine unless you've got more than a few thousand distinct col1,col2 value pairs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks! do you know if there's a limit to how many subsearches or joins splunk restricts?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
