Re: How to add join in one index - Splunk Community

Splunk Search

This is the piece of code i tried so far but the join part is not working for me i don't know why

((index="ata" sourcetype="s:sv" y_id>=4  te>= [| makeresults
|eval start_date=strftime(relative_time(now(), "-30d@d"),"%Y-%m-%dT%H:%M:%SZ") | fields start_date | return $start_date] earliest=-90d@d [|join type="inner" id [search index="ys_kb" sourcetype="lys:b_l" y_id>=4
ble=1 | dedup id | fields id |return id ]]) OR (index="s_ata" sourcetype="lys:h_xl" os=* earliest=-90d@d))

Probably you could explain what are you trying to achieve. There might be a better solution than Join

---
What goes around comes around. If it helps, hit it with Karma 🙂

Actually I want to use join in that particularly since the number of rows is more than 10,000

I tried using "inline search" but it not giving complete result Actually I was looking for the id that is present in that index ="ys_kb"

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...