Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare 2 table with a same field value?

Jayee3010
New Member
‎07-28-2016 04:59 AM

Hi,
Please help me construct this query.
I have 2 search tables
Table1 from Sourcetype=A
FieldA1 FieldB1

Table2 from Sourcetype=B
FieldA2 FieldB2

Output Table should be:

FieldA1 FieldB1 FieldA2 [where value(FieldB1)=value(FieldB2)]

Thank you.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2016 07:51 AM

Here's one way, although perhaps not the most efficient.

sourcetype=A | join FieldB1 [search sourcetype=B | rename FieldB2 as FieldB1] | table FieldA1 FieldB1 FieldA2
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎08-05-2016 08:25 AM

Something that should work without a join ...

sourcetype=A OR sourcetype=B 
| eval common=coalesce(FieldB1,FieldB2) 
| stats first(FieldA1) as FieldA1, first(FieldB1) as FieldB2, first(FieldA2) as FieldA2 by common
Reply
Solved! Jump to solution

Jayee3010
New Member
‎08-05-2016 10:19 PM

Thanks. coalesce() will combine both fields. So the query is giving many false positives. However, I edited the query a little, and getting the targeted output. And this is faster. Thanks so much for the help.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-29-2016 05:26 AM

Try this

index=myindex sourcetype=A OR sourcetype=B | eval f1=coalesce(FieldB2, FieldB1) | stats values(FieldA1) as FieldA1 values(FieldA2) as FieldA2 by f1 | rename f1 AS FieldB1
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2016 07:51 AM

Here's one way, although perhaps not the most efficient.

sourcetype=A | join FieldB1 [search sourcetype=B | rename FieldB2 as FieldB1] | table FieldA1 FieldB1 FieldA2
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Jayee3010
New Member
‎07-28-2016 07:11 PM

Hi,

Thanks for the query. I tried join command but, it didn't work. My output expectation is below:

sourcetype=A ..... | fields FieldA1, FieldB1 -> search value(FieldB1) in sourcetype=B | fields FieldA2,FieldB2 where FieldB1=FieldB2 | table FieldA1,FieldB1,FieldA2

Does it make sense?

Thank you.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2016 11:21 AM

The way I read your output expectation matches the query I gave in my answer. How is the join failing you?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Jayee3010
New Member
‎08-05-2016 06:15 AM

Hi,

Sorry for the late response. Yes, its worked finally. I had to alter my logic a bit. Swapped the query and received the output. But, Join command is very slow and taking long time to produce the result.

Thanks so much.

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎08-05-2016 08:19 AM

Join is slow. That is one of its downfalls.

0 Karma
Reply
Get Updates on the Splunk Community!

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives

Splunk Observability Cloud continues to evolve, empowering engineering and operations teams with advanced ...