I found that when I use subsearch or join command to join data,
I can't make splunk to return the complete result (comparing to the join result by ourselves)
Can anyone help me about this? Thanks!
Here is my test data:
ab_data(1000 rows, fields: fa, fb, timestamp): http://paste.plurk.com/show/272467/
ac_data(1000 rows, fields: fa, fc, timestamp): http://paste.plurk.com/show/272469/
reference join result (226 rows, join by field fa): http://paste.plurk.com/show/272470/
My search command used:
Subsearch (only 23 rows returned): index="test_join_ac" [ search index="test_join_ab" | fields fa ]
Join (no matching result returned): index="test_join_ac" | join type=inner max=0 fa [ search index="test_join_ab" ]
index=test_join_ac OR index=test_join_ab | stats first(fb) as fb first(fc) as fc min(_time) as _time by fa
If you wanna combine ab_data and ac_data into one. You should use transaction command indeed.
index="test_join_ab" | transaction fields=fa
Or you can refer to this site for more information about using SQL-like command in Splunk
It doesn't work. After referring the manual about transaction command I can't see it can be used to correlate 2 different sets of data. Could you please give any more hints?