Re: How to join search results without using join ...

usersplunktest · ‎12-02-2016

I have this situation:

Table1
Id
Field1
Field2
Field3

Table2
Id
FieldA
FieldB

I need this result:

Id
Field1
Field2
Field3
FieldA
FieldB

Ok... that's easy, right?
But I can't use "join" clause and subsearch.

I've tried transaction and others options, but the result is wrong.

Can somebody help me?

Richfez · ‎12-02-2016

As I think on this, you may not even need append. You might be able to get by with just using OR between the two things you are searching for. Like...

source=Table1 OR source=Table2

And, if you want it sorted like in your example,

source=Table1 OR source=Table2 | sort Id

Splunk normally puts AND between terms, using OR just ... well, makes it OR.

Happy Splunking!
-Rich

Richfez · ‎12-02-2016

That's append that you want. It just takes one set of results and adds another set of results to it, like pasting new rows at the end of a spreadsheet or something.

search that returns the Field1-4 rows | append [search search that returns the FieldA-C rows ]

There's lot of good examples in the docs I linked above. I suggest reviewing those closely to learn how it handles certain things.

How to join search results without using join command?