Splunk Search

How to use join to combine my two search?

Path Finder

alt text

i have to two different sourcetypes
with two different key
but values are same for both keys
Please help me with search query.

0 Karma

Splunk Employee
Splunk Employee

@sravankaripe - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too.

0 Karma

Esteemed Legend

Like this (ditch the join; it has limits):

index=ABC sourcetype=A OR sourcetype=B
| eval id=coalesce(Aid, Cid)
| stats values(Bid) AS Bid values(Did) AS Did BY id
0 Karma


Could try the sourcetype OR search above, or if you really need to specifically do a join, I believe this is what you'd be looking for:

index=ABC sourcetype=A | join type=inner Aid [search sourcetype=B index=ABC]
0 Karma

Revered Legend

Give this a try (no join as they are expensive)

index=ABC (sourcetype=A OR sourcetype=B)
| eval id=coalesce(Aid,Cid)
| stats values(Bid) as Bid values(Did) as Did by id