Splunk Search
Highlighted

How to use join to combine my two search?

Path Finder

alt text

i have to two different sourcetypes
with two different key
but values are same for both keys
Please help me with search query.

0 Karma
Highlighted

Re: How to use join to combine my two search?

SplunkTrust
SplunkTrust

Give this a try (no join as they are expensive)

index=ABC (sourcetype=A OR sourcetype=B)
| eval id=coalesce(Aid,Cid)
| stats values(Bid) as Bid values(Did) as Did by id
Highlighted

Re: How to use join to combine my two search?

Contributor

Could try the sourcetype OR search above, or if you really need to specifically do a join, I believe this is what you'd be looking for:

index=ABC sourcetype=A | join type=inner Aid [search sourcetype=B index=ABC]
0 Karma
Highlighted

Re: How to use join to combine my two search?

Esteemed Legend

Like this (ditch the join; it has limits):

index=ABC sourcetype=A OR sourcetype=B
| eval id=coalesce(Aid, Cid)
| stats values(Bid) AS Bid values(Did) AS Did BY id
0 Karma
Highlighted

Re: How to use join to combine my two search?

Influencer

@sravankaripe - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.