- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to find the matches of the fields from the...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to find the matches of the fields from the first table with the values of the second
Hello.
I have two tables.
I need to compare the values of two columns in each table.
In result, I want to receive rows from the first table only with fields, which faced in the second table.
Table 1
- v11 v12 v13 v14
- v21 v22 v23 v24
- v31 v32 v33 v34
- v41 v42 v43 v44
Table 2
- v21 v22
- v31 v32
As a result, I need to receive only two strings №2 and №3 from the first table.
I can't use subsearch because in the second table more than 2 million strings... And I need to start this search every minute.
Have you any ideas?
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rockin' cool, @jacobevans! Thanks for the answer.
But when we adapted it for our data, we faced the new issue: the long-time request, where appending >2M events from the table 2 is taking most of the time.
Is any decision (may be architectural) for this one?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What does your base search and append look like? Ideally you would not be appending anything. It should look something like this:
(index=Table1 OR index=Table2)
It sounds like you may come from a SQL background like myself. In Splunk, you don't want to join/intersect/append/sub search. It is always preferred to make the base search as broad (yet still small) as possible and then only to further refine the results from there. Don't even think of two separate queries as different tables. Think of them as different subsets of a single parent search.
Jacob
If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings @verteletskyia,
Assuming there are no duplicates in Table 1, you could do something like this run-anywhere search:
| makeresults | eval col1="v11", col2="v12", col3="v13", col4="v14"
| append [ | makeresults | eval col1="v21", col2="v22", col3="v23", col4="v24" ]
| append [ | makeresults | eval col1="v31", col2="v32", col3="v33", col4="v34" ]
| append [ | makeresults | eval col1="v41", col2="v42", col3="v43", col4="v44" ]
| append [ | makeresults | eval col1="v21", col2="v22" ]
| append [ | makeresults | eval col1="v31", col2="v32" ]
| stats values(col3) as col3
values(col4) as col4
count
by col1 col2
| where count > 1
| mvexpand col3
| mvexpand col4
Jacob
If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
