Re: How to join two searches on a common field whe...

ahuseid · ‎05-20-2015

I need to join two searches on a common field in which I want a value of the left search matches all the values of the right search. Example
Search A

X 1

Y 2

Search B
X 8
Y 9
X 11
Y 14
Z 7

When Joined
X 8
X 11
Y 9
Y 14

Thanks

ahuseid · ‎05-20-2015

I think the example I took was not clear enough. Here is a better example:
Search A

X ! #

Y % *

Search B
X 8
Y 9
X 11
Y 14
Z 7

When Joined
X ! # 8
X % * 11
Y ! # 9
Y % * 14

simonzfor · ‎11-01-2019

I just don't see what you could possibly use to match these. This does not seem to be joining.

sanjay_shrestha · ‎05-20-2015

Looking at your example, you are not joining two searches, you are filtering one search with common fields from other search. If that is the case, then you can try as below:

index=SearchA [index=SearchB|fields CommonField as search|format]|table SearchAFields

richgalloway · ‎05-20-2015

Perhaps something like this will work:

<Search A> | fields field1 field2 | join field1 [search <Search B> | fields field1 field3] | table field1 field3

---
If this reply helps you, Karma would be appreciated.

ahuseid · ‎05-20-2015

Folks,
some of the characters in my second example didn't come out right. Here is a clearer one:

Search A

X chair orange
Y table lemon
Z desk banana

Search B

X 1
X 2
Y 3
Y 4
P 5

Joined Search (As I want it to be)

X chair orange 1
X chair orange 2
Y table lemon 3
Y table lemon 4

sendilprakash · ‎11-15-2018

Hi @ahuseid, I am in the same situation, can you share your answer which worked for you?

How to join two searches on a common field where the value of the left search matches all values of the right search?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms