Re: How to join three searches

arkonner · ‎08-28-2015

Hi,

I have three different indexes with a common field. I know how to use of the join command with two indexes with a common field.

How to do it with three?

Thank you in advance

acharlieh · ‎08-28-2015

join is used to merge results from two different searches, and any single search could return data from across multiple indexes for example:

(index=a OR index=b OR index=c) common_field=* | fields common_field, interesting_field1,interesting_field2,...,interesting_fieldN | stats values(*) as * by common_field

This search will pull data from three indexes with a common field, limit the extractions to the common field and N interesting fields, then get the values of each interesting field from across all indexes with the common field, and would as a rule of thumb would perform much faster than an equivalent join.

But recommendations on how you should proceed in joining the multiple data sets, depends heavily on both what your data sources are (what kind of data are in the three indexes), and what your goal is in using the join command. With enough background, people would then be able to better develop an appropriate use of join, or figure out if other techniques are better.

MuS · ‎08-28-2015

in addition: it is always a pleasure to direct to this answer http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi... 🙂

How to join three searches

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life