Splunk Search

How to join two searches on a common field where the value of the left search matches all values of the right search?

ahuseid
New Member

I need to join two searches on a common field in which I want a value of the left search matches all the values of the right search. Example
Search A

X 1

Y 2

Search B
X 8
Y 9
X 11
Y 14
Z 7

When Joined
X 8
X 11
Y 9
Y 14

Thanks

Tags (3)
0 Karma

ahuseid
New Member

I think the example I took was not clear enough. Here is a better example:
Search A

X ! #

Y % *

Search B
X 8
Y 9
X 11
Y 14
Z 7

When Joined
X ! # 8
X % * 11
Y ! # 9
Y % * 14

0 Karma

simonzfor
Explorer

I just don't see what you could possibly use to match these. This does not seem to be joining.

0 Karma

sanjay_shrestha
Contributor

Looking at your example, you are not joining two searches, you are filtering one search with common fields from other search. If that is the case, then you can try as below:

index=SearchA [index=SearchB|fields CommonField as search|format]|table SearchAFields
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps something like this will work:

<Search A> | fields field1 field2 | join field1 [search <Search B> | fields field1 field3] | table field1 field3
---
If this reply helps you, Karma would be appreciated.

ahuseid
New Member

Folks,
some of the characters in my second example didn't come out right. Here is a clearer one:

Search A

X chair orange
Y table lemon
Z desk banana

Search B

X 1
X 2
Y 3
Y 4
P 5

Joined Search (As I want it to be)

X chair orange 1
X chair orange 2
Y table lemon 3
Y table lemon 4

0 Karma

sendilprakash
Explorer

Hi @ahuseid, I am in the same situation, can you share your answer which worked for you?

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...