Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Example of left outer join in Splunk without using join?

anwarmian
Communicator
‎07-29-2014 05:29 PM

Please help me with a good example of Left Outer Join in Splunk without using "Join." I've seen examples of Inner Join without using "Join", but I haven't found one for Left Outer Join.

Thanks in advance!!!

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-29-2014 05:50 PM

Say you have sourcetypes one with field bar and two with field baz, and a common field foo. You'd search that using sourcetype=one OR sourcetype=two, or generate dummy data using this:

| stats count as sourcetype | eval sourcetype="one" | eval foo = "a b c"| makemv foo | mvexpand foo | eval bar = random()%42 | append [stats count as sourcetype | eval sourcetype="two" | eval foo = "b c d" | makemv foo | mvexpand foo | eval baz = random()%42]

That generates three events a,b,c from sourcetype one and three events b,c,d from sourcetype two. Left outer joining those should yield three events a,b,c, with no value for baz in case of a because sourctype two didn't have that.

Append this to compute that join:

| stats values(sourcetype) as sourcetype values(bar) as bar values(baz) as baz by foo | search sourcetype="one"

You should get a result like this:

foo  sourcetype  bar  baz
a    one           6
b    one           7   41
     two
c    one           8   18
     two

Leave off the final search to get a full outer join.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-30-2014 12:09 AM

They do different things, so they aren't really comparable.

There's no need to use append in this case. My dummy data generator uses it, but it's not meant to churn out many events quickly.
Don't:

sourcetype=one | some stuff | append [search sourcetype=two | some stuff] | stats ... by foo

Do:

sourcetype=one OR sourcetype=two | some stuff | stats ... by foo

That'll be miles faster than either join or append based approaches.

0 Karma
Reply

weidertc
Contributor
‎01-09-2020 12:44 PM

If "one" is already ran as a base search, would it still be faster to re-run one in one OR two, or would it then make sense to use append if you decide to re-use the one base search? this is my situation.

0 Karma
Reply

to4kawa
Ultra Champion
‎01-09-2020 01:30 PM

dashboard?
query optimization is specific. it's better you provide your sample query.

0 Karma
Reply

anwarmian
Communicator
‎07-29-2014 09:00 PM

Thanks so much Martin. I'll try it out. Since I heard that "join" is expensive would "append" make the search faster?

0 Karma
Reply
Get Updates on the Splunk Community!

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...