Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to join search results without using join command?

usersplunktest
New Member
‎12-02-2016 03:03 AM

I have this situation:

Table1
Id
Field1
Field2
Field3

Table2
Id
FieldA
FieldB

I need this result:

Id
Field1
Field2
Field3
FieldA
FieldB

Ok... that's easy, right?
But I can't use "join" clause and subsearch.

I've tried transaction and others options, but the result is wrong.

Can somebody help me?

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎12-02-2016 09:37 AM

As I think on this, you may not even need append. You might be able to get by with just using OR between the two things you are searching for. Like...

source=Table1 OR source=Table2

And, if you want it sorted like in your example,

source=Table1 OR source=Table2 | sort Id

Splunk normally puts AND between terms, using OR just ... well, makes it OR.

Happy Splunking!
-Rich

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎12-02-2016 04:34 AM

That's append that you want. It just takes one set of results and adds another set of results to it, like pasting new rows at the end of a spreadsheet or something.

search that returns the Field1-4 rows | append [search search that returns the FieldA-C rows ]

There's lot of good examples in the docs I linked above. I suggest reviewing those closely to learn how it handles certain things.

Reply
Register for .conf25!
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...
Top