Splunk Search

Can Splunk join on multiple columns?

suhprano
Path Finder

How can you search Splunk to return a join on 2 columns

sourcetype=test1 [search=test2 |fields col1, col2]|fields col1, col2, col3

Basically, I want something like

SELECT * from test1 join test2 on test1.col1 =test2.col1 and test1.col2 = test2.col2
Tags (1)
1 Solution

hazekamp
Builder

You should be able to do this by specify multiple fields in Splunk's join command:

sourcetype=test1 | fields col1,col2 | join col1,col2 [search sourcetype=test2 | fields col1,col2,col3]

View solution in original post

marcoscala
Builder

How to achieve the same result, but when fields names are different? I have the problem to rebuild transactions from postfix/amavis logs, where the message is processed by a pipeline of different steps/processes and at a certain point, a new processing requests is queued in the pipeline. I have in an event the original "queue_id" and a new "queued_as" id, that in a next event will appear as a new "queue_id".

So I need to correlate events with a "queue_id" with events that have the same "queued_as" value.

Ideas?!?

0 Karma

the_wolverine
Champion

Try asking this as a new question so others can easier find and make use of it. In your case have you tried using coalesce for queue_id and queued_as fields?

0 Karma

jslealdi
Explorer

Try rename
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Rename
| rename original_field as "new_name"

0 Karma

hazekamp
Builder

You should be able to do this by specify multiple fields in Splunk's join command:

sourcetype=test1 | fields col1,col2 | join col1,col2 [search sourcetype=test2 | fields col1,col2,col3]

gkanapathy
Splunk Employee
Splunk Employee

It's unnecessary (and undesirable mostly) to use join if you can just use: `sourcetype=test1 [search=test2 | dedup col1 col2 | fields col1 col2]

This is basically your original search, but it should work just fine unless you've got more than a few thousand distinct col1,col2 value pairs.

0 Karma

suhprano
Path Finder

thanks! do you know if there's a limit to how many subsearches or joins splunk restricts?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...