Solved: How to execute a full outer join in splunk?

rkanumula · ‎04-03-2015

Hi,

i have a indexes A and B. when i am joining both indexes with type=outer, I am getting only left index data, but I want both columns of data. How do I do this?

ex:

Index A

id  name  sal
1    x    10,000

Index B

id desgn
1  eng

Now I want the output as:

id  name  sal     desg
1    x    10000   engineer

This is my current search:

index=a | join type=outer a.id[ SEARCH index=b]|table id,name,desg,sal

Thanks in advance

rkanumula · ‎05-05-2015

Got The Solution

Query:

index=a | join type=outer[ SEARCH index=b|rename id as id_cardNum]
|where id=id_cardNum|table id,name,desg,sal

View solution in original post

rkanumula · ‎05-05-2015

Got The Solution

Query:

index=a | join type=outer[ SEARCH index=b|rename id as id_cardNum]
|where id=id_cardNum|table id,name,desg,sal

richgalloway · ‎04-03-2015

Maybe it's a typo, but Splunk joins aren't the same as SQL joins. Did you try index=a | join type=outer id [search index=b] | table id name sal desgn ?

---
If this reply helps you, Karma would be appreciated.

How to execute a full outer join in splunk?

Brains, Bytes, and Boston: Learn from the Best at .conf25

Splunk AppDynamics Agents Webinar Series

SplunkTrust Application Period is Officially OPEN!

Are you a member of the Splunk Community?

How to execute a full outer join in splunk?

Brains, Bytes, and Boston: Learn from the Best at .conf25

Splunk AppDynamics Agents Webinar Series

SplunkTrust Application Period is Officially OPEN!