Solved: Help needed with inner join with different field n...

harryhcg · ‎01-24-2023

Can someone help with query?

I have 2 index abc and bcz
From abc index I want to show stats for field1
where field2 from index abc matches with field3 of index bcz
and bcz index field5="value"

what I tried which is not working:

index=abc

| stats count by field1

| join type=inner field2

[search index=bcz
| rename field3 as field2

| where field5="employee_name"]

ITWhisperer · ‎01-24-2023

Try something like this

index=abc [search index=bcz 
  | where field5="employee_name"
  | rename field3 as field2
  | fields field2]
| stats count by field1

View solution in original post

ITWhisperer · ‎01-24-2023

Try something like this

index=abc [search index=bcz 
  | where field5="employee_name"
  | rename field3 as field2
  | fields field2]
| stats count by field1

harryhcg · ‎01-24-2023

@ITWhisperer You are awesome, I was so stupid.
Thank you.

Help needed with inner join with different field name and a filter

join

subsearch

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Join the Conversation