How to use join to combine my two search?

sravankaripe · ‎02-23-2017

i have to two different sourcetypes
with two different key
but values are same for both keys
Please help me with search query.

aaraneta_splunk · ‎04-20-2017

@sravankaripe - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too.

woodcock · ‎03-25-2017

Like this (ditch the join; it has limits):

index=ABC sourcetype=A OR sourcetype=B
| eval id=coalesce(Aid, Cid)
| stats values(Bid) AS Bid values(Did) AS Did BY id

briancronrath · ‎02-23-2017

Could try the sourcetype OR search above, or if you really need to specifically do a join, I believe this is what you'd be looking for:

index=ABC sourcetype=A | join type=inner Aid [search sourcetype=B index=ABC]

somesoni2 · ‎02-23-2017

Give this a try (no join as they are expensive)

index=ABC (sourcetype=A OR sourcetype=B)
| eval id=coalesce(Aid,Cid)
| stats values(Bid) as Bid values(Did) as Did by id

How to use join to combine my two search?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!