How can you search Splunk to return a join on 2 columns
sourcetype=test1 [search=test2 |fields col1, col2]|fields col1, col2, col3
Basically, I want something like
SELECT * from test1 join test2 on test1.col1 =test2.col1 and test1.col2 = test2.col2
You should be able to do this by specify multiple fields in Splunk's join command:
sourcetype=test1 | fields col1,col2 | join col1,col2 [search sourcetype=test2 | fields col1,col2,col3]
How to achieve the same result, but when fields names are different? I have the problem to rebuild transactions from postfix/amavis logs, where the message is processed by a pipeline of different steps/processes and at a certain point, a new processing requests is queued in the pipeline. I have in an event the original "queue_id" and a new "queued_as" id, that in a next event will appear as a new "queue_id".
So I need to correlate events with a "queue_id" with events that have the same "queued_as" value.
Ideas?!?
Try asking this as a new question so others can easier find and make use of it. In your case have you tried using coalesce for queue_id and queued_as fields?
Try rename
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Rename
| rename original_field as "new_name"
You should be able to do this by specify multiple fields in Splunk's join command:
sourcetype=test1 | fields col1,col2 | join col1,col2 [search sourcetype=test2 | fields col1,col2,col3]
It's unnecessary (and undesirable mostly) to use join
if you can just use: `sourcetype=test1 [search=test2 | dedup col1 col2 | fields col1 col2]
This is basically your original search, but it should work just fine unless you've got more than a few thousand distinct col1,col2
value pairs.
thanks! do you know if there's a limit to how many subsearches or joins splunk restricts?