Splunk Search

Can Splunk join on multiple columns?

suhprano
Path Finder

How can you search Splunk to return a join on 2 columns

sourcetype=test1 [search=test2 |fields col1, col2]|fields col1, col2, col3

Basically, I want something like

SELECT * from test1 join test2 on test1.col1 =test2.col1 and test1.col2 = test2.col2
Tags (1)
1 Solution

hazekamp
Builder

You should be able to do this by specify multiple fields in Splunk's join command:

sourcetype=test1 | fields col1,col2 | join col1,col2 [search sourcetype=test2 | fields col1,col2,col3]

View solution in original post

marcoscala
Builder

How to achieve the same result, but when fields names are different? I have the problem to rebuild transactions from postfix/amavis logs, where the message is processed by a pipeline of different steps/processes and at a certain point, a new processing requests is queued in the pipeline. I have in an event the original "queue_id" and a new "queued_as" id, that in a next event will appear as a new "queue_id".

So I need to correlate events with a "queue_id" with events that have the same "queued_as" value.

Ideas?!?

0 Karma

the_wolverine
Champion

Try asking this as a new question so others can easier find and make use of it. In your case have you tried using coalesce for queue_id and queued_as fields?

0 Karma

jslealdi
Explorer

Try rename
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Rename
| rename original_field as "new_name"

0 Karma

hazekamp
Builder

You should be able to do this by specify multiple fields in Splunk's join command:

sourcetype=test1 | fields col1,col2 | join col1,col2 [search sourcetype=test2 | fields col1,col2,col3]

gkanapathy
Splunk Employee
Splunk Employee

It's unnecessary (and undesirable mostly) to use join if you can just use: `sourcetype=test1 [search=test2 | dedup col1 col2 | fields col1 col2]

This is basically your original search, but it should work just fine unless you've got more than a few thousand distinct col1,col2 value pairs.

0 Karma

suhprano
Path Finder

thanks! do you know if there's a limit to how many subsearches or joins splunk restricts?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...