Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to join search results without using join command?

usersplunktest
New Member
‎12-02-2016 03:03 AM

I have this situation:

Table1
Id
Field1
Field2
Field3

Table2
Id
FieldA
FieldB

I need this result:

Id
Field1
Field2
Field3
FieldA
FieldB

Ok... that's easy, right?
But I can't use "join" clause and subsearch.

I've tried transaction and others options, but the result is wrong.

Can somebody help me?

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎12-02-2016 09:37 AM

As I think on this, you may not even need append. You might be able to get by with just using OR between the two things you are searching for. Like...

source=Table1 OR source=Table2

And, if you want it sorted like in your example,

source=Table1 OR source=Table2 | sort Id

Splunk normally puts AND between terms, using OR just ... well, makes it OR.

Happy Splunking!
-Rich

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎12-02-2016 04:34 AM

That's append that you want. It just takes one set of results and adds another set of results to it, like pasting new rows at the end of a spreadsheet or something.

search that returns the Field1-4 rows | append [search search that returns the FieldA-C rows ]

There's lot of good examples in the docs I linked above. I suggest reviewing those closely to learn how it handles certain things.

Reply
Register for .conf25!
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
Top