Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with parsing large dataset using Join

kiranpatil1985
New Member
‎09-11-2019 09:34 AM

Hello,
I am using the following search to parse 2 indexes since I want to combine the results from both indexes based on common field "email". I am running this search on my local Splunk instance and both indexes are uploaded CSV. I have configured limits.conf file to handle large dataset. I get different output for Clicked_link and delivered_email when I use the OR operator in the Join versus when I just use either of them I get the correct output. Am I missing something here. Why is the OR operator trimming output result. I see 0 output for bunch of tables when normally it is populated with some number.

index=IndexA
| join type=inner email [ search index=IndexB ( event=delivered OR event=click ) | dedup email event | fields email, event ]
| stats count(eval('event'="delivered")) as Email_Delivered
count(eval('event'="click")) as Clicked_links
by Region, Division, Country, Location
| table Region, Division, Country, Location, "Email_Delivered" , Clicked_links

Tags (4)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-12-2019 01:51 AM

Hi kiranpatil1985,
there is a limit of 50,000 results in subsearches, for this reason and because join command is very very slow, I suggest to approach this problem in a different way, using stats command.

index=IndexA OR index=IndexB ( event=delivered OR event=click ) 
| dedup email event | fields email, event ]
| stats count(eval('event'="delivered")) as Email_Delivered count(eval('event'="click")) as Clicked_links BY email Region, Division, Country, Location
| table Region, Division, Country, Location, "Email_Delivered" , Clicked_links

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...