Re: How to use join to combine my two search?

sravankaripe · ‎02-23-2017

i have to two different sourcetypes
with two different key
but values are same for both keys
Please help me with search query.

aaraneta_splunk · ‎04-20-2017

@sravankaripe - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too.

woodcock · ‎03-25-2017

Like this (ditch the join; it has limits):

index=ABC sourcetype=A OR sourcetype=B
| eval id=coalesce(Aid, Cid)
| stats values(Bid) AS Bid values(Did) AS Did BY id

briancronrath · ‎02-23-2017

Could try the sourcetype OR search above, or if you really need to specifically do a join, I believe this is what you'd be looking for:

index=ABC sourcetype=A | join type=inner Aid [search sourcetype=B index=ABC]

somesoni2 · ‎02-23-2017

Give this a try (no join as they are expensive)

index=ABC (sourcetype=A OR sourcetype=B)
| eval id=coalesce(Aid,Cid)
| stats values(Bid) as Bid values(Did) as Did by id

How to use join to combine my two search?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!