Splunk Search

Help to use join to combine based on alert field

vkrishnachand
New Member

i have two tables A and B. Based on alert field value in table A a corresponding row will be generated in table B.

i am going to use join to to combine both table A and B values based on alert field.

In some cases in table A the alert field value will be null so there wont be corresponding rows generated in table B , but i want to display these exception rows as well.

Please tell me how to achieve this.

Tags (2)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

What do you mean by "table"?

0 Karma

vkrishnachand
New Member

this is a table command indeed and not a table :-).

0 Karma

woodcock
Esteemed Legend

I am going to take you literally even though I know it will generate an incorrect solution. You have not given us much with which to work. Try this:

| inputlookup TableA
| eval sourcetype="TableA"
| appendpipe [
| inputlookup TableB
| eval sourcetype="TableB"
]
| rename COMMENT AS "You probably don't have tables so maybe you need 'index=foo sourcetype=TableA OR sourcetype=TableB' instead"
| stats values(*) AS * dc(sourcetype) AS num_sourcetypes BY YourCommonFieldHere
| fillnull YourSometimesMissingButImportantFIeldNameHere value="YourChosenDefaultValueHere"
0 Karma

vkrishnachand
New Member

many thanks for your prompt response a left type left join seems to produce good results :-).

0 Karma

woodcock
Esteemed Legend

There are many problems with join and it does not scale. Use a solution like mine.

0 Karma

niketn
Legend

@vkrishnachand, can you add some data sample from table A and table B and your existing queries. Can you also explain what you mean by exception rows without any data? What is alert field?

Please provide more details of your issue for us to assist you better.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

vkrishnachand
New Member

many thanks for your timely response.I managed to design the query with type left join and it seemed to work :-).

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...