Re: Join 2 indexes

jwgiblin3 · ‎05-04-2017

I have 2 indexes that I am joining and I am getting different results based on whether I start the search with one index vs the other. The join is a one to many relationship

Indexes
- filemeta (1)
- fileacl (*)

Query 1 - 1 Result
index="filemeta" Path="\\server\testshare" | join "Path" [ search index="fileacl" ]
Query 2 - 6 results
index="fileacl" Path="\\server\testshare" | join "Path" [ search index="filemeta" ]

Am I missing something on Query 1 in order to see all the results from the fileacl index?

richgalloway · ‎05-04-2017

As you've discovered, the order of a join is significant. The type of join also makes a difference. The default type is inner which means the results do not include events from the main (1st) search that have no matches in the subsearch (2nd). Events that match on both sides are always included.

---
If this reply helps you, Karma would be appreciated.

jwgiblin3 · ‎05-04-2017

Thanks for your reply. I do understand inner joins. What I am not clear is why it only included 1 event when there are many events for that path

Join 2 indexes

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Join the Conversation