Splunk Search

How do I join searches or use nested searches?

kamaleshwar
Explorer

I would like to know how to join searches or how to use nested searches? Please help on this.

Tags (3)
0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

The documentation for join has a nice write up on the command that should get you started. In general for these types of questions I start with the Splunk Documentation. The docs teams does a good job.

One cautionary note: I would carefully consider if you need a join or not: there are a lot of other commands that can solve the problem where one would normally think they needed a join. Also, many of us with a SQL background seem to jump to join more quickly than they should because the terminology is familiar. There's nothing wrong with join; it's just that it's about the slowest and most "expensive" way to do what it does. So, if there's no way around using join then by all means USE it, but it can be worth it to ask in another question "I have this search with this join and it runs slow. Can someone help me rewrite it more efficiently?" (Obviously, a small set of sample data and a good description of what you are trying to accomplish is important there, too).

Anyway, good luck!

View solution in original post

Richfez
SplunkTrust
SplunkTrust

The documentation for join has a nice write up on the command that should get you started. In general for these types of questions I start with the Splunk Documentation. The docs teams does a good job.

One cautionary note: I would carefully consider if you need a join or not: there are a lot of other commands that can solve the problem where one would normally think they needed a join. Also, many of us with a SQL background seem to jump to join more quickly than they should because the terminology is familiar. There's nothing wrong with join; it's just that it's about the slowest and most "expensive" way to do what it does. So, if there's no way around using join then by all means USE it, but it can be worth it to ask in another question "I have this search with this join and it runs slow. Can someone help me rewrite it more efficiently?" (Obviously, a small set of sample data and a good description of what you are trying to accomplish is important there, too).

Anyway, good luck!

kamaleshwar
Explorer

yeah, thanks! i've found some other way to make the query efficiently run.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...