Splunk Search

Is it possible to merge two searches (inner+outer)?

Kislac
Engager

Greetings.

Is it possible merge 2 search? If there is any common value than connect it. If there is no match keep the events with null()'s

Kislac_1-1662466289247.png

I have tired with join function, but the join function are drop those events where there is no match.

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Although functional and sometimes necessary, join and append are not the best tools to use where better options exist. Both use subsearches and have limits with data volumes, so the typical way to address 'joining' data sets is to do

(search 1) OR (search 2)
| stats values(*) as * by common_field

which effectively joins the data from both search 1 and 2 into a single row connected by the common field.

 

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

You didn't give us much to work with (it would be helpful to see the two searches), but one way to combine two searches is with the append command.

<<search 1>>
| append [ <<search 2>> ]
| stats values(*) as * by <<common field>>

In the example,  <<common field>> would be Key.

---
If this reply helps you, Karma would be appreciated.

Kislac
Engager

@richgalloway ,

Sorry for poor question quality.

In other hand, with your inspiration i used following code, which is worked:

<<search 1>>
| join type=left key [ <<search 2>> ]
| append [ <<search 2>> ]
| dedup key

 So thank you

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Why did you use both join and append?  Either by itself should be enough and would not require dedup.

---
If this reply helps you, Karma would be appreciated.
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Although functional and sometimes necessary, join and append are not the best tools to use where better options exist. Both use subsearches and have limits with data volumes, so the typical way to address 'joining' data sets is to do

(search 1) OR (search 2)
| stats values(*) as * by common_field

which effectively joins the data from both search 1 and 2 into a single row connected by the common field.

 

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...