Greetings.
Is it possible merge 2 search? If there is any common value than connect it. If there is no match keep the events with null()'s
I have tired with join function, but the join function are drop those events where there is no match.
Although functional and sometimes necessary, join and append are not the best tools to use where better options exist. Both use subsearches and have limits with data volumes, so the typical way to address 'joining' data sets is to do
(search 1) OR (search 2)
| stats values(*) as * by common_field
which effectively joins the data from both search 1 and 2 into a single row connected by the common field.
You didn't give us much to work with (it would be helpful to see the two searches), but one way to combine two searches is with the append command.
<<search 1>>
| append [ <<search 2>> ]
| stats values(*) as * by <<common field>>
In the example, <<common field>> would be Key.
Sorry for poor question quality.
In other hand, with your inspiration i used following code, which is worked:
<<search 1>>
| join type=left key [ <<search 2>> ]
| append [ <<search 2>> ]
| dedup key
So thank you
Why did you use both join and append? Either by itself should be enough and would not require dedup.
Although functional and sometimes necessary, join and append are not the best tools to use where better options exist. Both use subsearches and have limits with data volumes, so the typical way to address 'joining' data sets is to do
(search 1) OR (search 2)
| stats values(*) as * by common_field
which effectively joins the data from both search 1 and 2 into a single row connected by the common field.