Re: How to join search results without using join ...

usersplunktest · ‎12-02-2016

I have this situation:

Table1
Id
Field1
Field2
Field3

Table2
Id
FieldA
FieldB

I need this result:

Id
Field1
Field2
Field3
FieldA
FieldB

Ok... that's easy, right?
But I can't use "join" clause and subsearch.

I've tried transaction and others options, but the result is wrong.

Can somebody help me?

Richfez · ‎12-02-2016

As I think on this, you may not even need append. You might be able to get by with just using OR between the two things you are searching for. Like...

source=Table1 OR source=Table2

And, if you want it sorted like in your example,

source=Table1 OR source=Table2 | sort Id

Splunk normally puts AND between terms, using OR just ... well, makes it OR.

Happy Splunking!
-Rich

Richfez · ‎12-02-2016

That's append that you want. It just takes one set of results and adds another set of results to it, like pasting new rows at the end of a spreadsheet or something.

search that returns the Field1-4 rows | append [search search that returns the FieldA-C rows ]

There's lot of good examples in the docs I linked above. I suggest reviewing those closely to learn how it handles certain things.

How to join search results without using join command?

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!