Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Help me to format the below query without the join command.

nivethainspire_
Explorer
‎03-26-2021 03:09 AM

Help me to format the below query without the join command.

index=sample sourcetype=Sample_1 | fillnull | makemv delim=";" AID | join type=left AID [search index=sam sourcetype=sam_1|fillnull|rename Name as AID] |fillnull value="" Cos|fields * | search Legment="SOFT"|search sev=Y |stats count(VName)

the query is too slow for me and I have to run without join.

Labels (2)
Labels
0 Karma
Reply

aasabatini
Motivator
‎03-26-2021 04:08 AM

Hi

please try to understand the logic on this search:

index=sample OR index=sam sourcetype=Sample_1 OR sourcetype=sam_1 | makemv delim=";" AID
rename Name as AID |fillnull value="" Cos |fields * | search Legment="SOFT"|search sev=Y |stats count(VName) by AID

 

this is the best way to do a search without a join, Also you can use the where condition.

 

Regards

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Reply

nivethainspire_
Explorer
‎03-26-2021 04:20 AM

When I run this I get no result as the |search sev=Y has no data which is from 1st index and  | search Legment="SOFT"| is from 2nd index

Both search together not working

0 Karma
Reply

aasabatini
Motivator
‎03-26-2021 04:27 AM

Hi

I don't know your data setI shared the search only to understand the logic.

index=sample OR index=sam sourcetype=Sample_1 OR sourcetype=sam_1 Legment="SOFT" OR sev=Y  | makemv delim=";" AID
rename Name as AID |fillnull value="" Cos   |stats count(VName) by AID

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...