Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to merge two searches (inner+outer)?

Kislac
Engager
‎09-06-2022 05:13 AM

Greetings.

Is it possible merge 2 search? If there is any common value than connect it. If there is no match keep the events with null()'s

Kislac_1-1662466289247.png

I have tired with join function, but the join function are drop those events where there is no match.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-07-2022 12:21 AM

Although functional and sometimes necessary, join and append are not the best tools to use where better options exist. Both use subsearches and have limits with data volumes, so the typical way to address 'joining' data sets is to do

(search 1) OR (search 2)
| stats values(*) as * by common_field

which effectively joins the data from both search 1 and 2 into a single row connected by the common field.

 

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-06-2022 06:00 AM

You didn't give us much to work with (it would be helpful to see the two searches), but one way to combine two searches is with the append command.

<<search 1>>
| append [ <<search 2>> ]
| stats values(*) as * by <<common field>>

In the example,  <<common field>> would be Key.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Kislac
Engager
‎09-07-2022 12:10 AM

@richgalloway ,

Sorry for poor question quality.

In other hand, with your inspiration i used following code, which is worked:

<<search 1>>
| join type=left key [ <<search 2>> ]
| append [ <<search 2>> ]
| dedup key

 So thank you

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-07-2022 05:05 AM

Why did you use both join and append?  Either by itself should be enough and would not require dedup.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-07-2022 12:21 AM

Although functional and sometimes necessary, join and append are not the best tools to use where better options exist. Both use subsearches and have limits with data volumes, so the typical way to address 'joining' data sets is to do

(search 1) OR (search 2)
| stats values(*) as * by common_field

which effectively joins the data from both search 1 and 2 into a single row connected by the common field.

 

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...