Solved: Re: Get full join result of two logs

foloyo1314 · ‎12-19-2012

How to get full join result of the below two logs:
log1:
ID, value1
1,aaa
1,abc

log2:
ID, value2
1,X1
1,X4
When join the two logs with source=log1 join type=inner ID [search source=log2] , it will get results like
ID,value1,value2
1,aaa,X1
1,abc,X1
How can I get the full join of the two logs like:
ID,value1,value2
1,aaa,X1
1,abc,X1
1,aaa,X4
1,abc,X4
Thanks!

martin_mueller · ‎12-19-2012

You're probably looking for the max=0 option of the join command, enabling the re-use of a previously joined event for more joins. Note though, for large inputs this may yield huge result sets.

View solution in original post

martin_mueller · ‎12-19-2012

You're probably looking for the max=0 option of the join command, enabling the re-use of a previously joined event for more joins. Note though, for large inputs this may yield huge result sets.

martin_mueller · ‎04-05-2013

The question of how to get the full join was indeed solved by setting max=0. If you have a different problem not solved by this you should ask a separate question.

smolcj · ‎04-05-2013

😞 How this is solved?? even i am looking for same solution.. i have 3 joins in my query 😞 but appending max=0 didn't solve my issue 😞

Get full join result of two logs

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms