Splunk Search

Is it possible to merge two searches (inner+outer)?

Kislac
Engager

Greetings.

Is it possible merge 2 search? If there is any common value than connect it. If there is no match keep the events with null()'s

Kislac_1-1662466289247.png

I have tired with join function, but the join function are drop those events where there is no match.

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Although functional and sometimes necessary, join and append are not the best tools to use where better options exist. Both use subsearches and have limits with data volumes, so the typical way to address 'joining' data sets is to do

(search 1) OR (search 2)
| stats values(*) as * by common_field

which effectively joins the data from both search 1 and 2 into a single row connected by the common field.

 

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

You didn't give us much to work with (it would be helpful to see the two searches), but one way to combine two searches is with the append command.

<<search 1>>
| append [ <<search 2>> ]
| stats values(*) as * by <<common field>>

In the example,  <<common field>> would be Key.

---
If this reply helps you, Karma would be appreciated.

Kislac
Engager

@richgalloway ,

Sorry for poor question quality.

In other hand, with your inspiration i used following code, which is worked:

<<search 1>>
| join type=left key [ <<search 2>> ]
| append [ <<search 2>> ]
| dedup key

 So thank you

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Why did you use both join and append?  Either by itself should be enough and would not require dedup.

---
If this reply helps you, Karma would be appreciated.
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Although functional and sometimes necessary, join and append are not the best tools to use where better options exist. Both use subsearches and have limits with data volumes, so the typical way to address 'joining' data sets is to do

(search 1) OR (search 2)
| stats values(*) as * by common_field

which effectively joins the data from both search 1 and 2 into a single row connected by the common field.

 

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...