Splunk Search
Highlighted

How to join two searches on a common field where the value of the left search matches all values of the right search?

New Member

I need to join two searches on a common field in which I want a value of the left search matches all the values of the right search. Example
Search A

X 1

Y 2

Search B
X 8
Y 9
X 11
Y 14
Z 7

When Joined
X 8
X 11
Y 9
Y 14

Thanks

Tags (3)
0 Karma
Highlighted

Re: How to join two searches on a common field where the value of the left search matches all values of the right search?

SplunkTrust
SplunkTrust

Perhaps something like this will work:

<Search A> | fields field1 field2 | join field1 [search <Search B> | fields field1 field3] | table field1 field3
---
If this reply helps you, an upvote would be appreciated.
Highlighted

Re: How to join two searches on a common field where the value of the left search matches all values of the right search?

New Member

Folks,
some of the characters in my second example didn't come out right. Here is a clearer one:

Search A

X chair orange
Y table lemon
Z desk banana

Search B

X 1
X 2
Y 3
Y 4
P 5

Joined Search (As I want it to be)

X chair orange 1
X chair orange 2
Y table lemon 3
Y table lemon 4

0 Karma
Highlighted

Re: How to join two searches on a common field where the value of the left search matches all values of the right search?

Explorer

Hi @ahuseid, I am in the same situation, can you share your answer which worked for you?

0 Karma
Highlighted

Re: How to join two searches on a common field where the value of the left search matches all values of the right search?

Contributor

Looking at your example, you are not joining two searches, you are filtering one search with common fields from other search. If that is the case, then you can try as below:

index=SearchA [index=SearchB|fields CommonField as search|format]|table SearchAFields
0 Karma
Highlighted

Re: How to join two searches on a common field where the value of the left search matches all values of the right search?

New Member

I think the example I took was not clear enough. Here is a better example:
Search A

X ! #

Y % *

Search B
X 8
Y 9
X 11
Y 14
Z 7

When Joined
X ! # 8
X % * 11
Y ! # 9
Y % * 14

0 Karma
Highlighted

Re: How to join two searches on a common field where the value of the left search matches all values of the right search?

Explorer

I just don't see what you could possibly use to match these. This does not seem to be joining.

0 Karma