Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Join 2 searches on 2 different columns

xiaohenry
Explorer
‎03-06-2018 06:33 PM

I have 2 searches and i want to join the results of both of them into 1 table of x_requestid's. The respective result column in each search has a different name

Search 1:

index=A number=RU status=SUBMITTED | table x_requestid

Search 2:

index=A status=INELIGIBLE | rename request_id as x_requestid | table x_requestid

These individual searches provide exactly what I need, but when I try to join them I get nothing. Here's my join query

index=A number=RU status=SUBMITTED | table x_requestid | join x_requestid [search index=A status=INELIGIBLE | rename request_id as x_requestid | fields x_requestid] | table x_requestid
Tags (1)
0 Karma
Reply

mayurr98
Super Champion
‎03-07-2018 10:07 AM

If your problem is resolved, accept the correct answer for future readers and so that this question no longer appears open.

0 Karma
Reply

mayurr98
Super Champion
‎03-06-2018 09:41 PM

Hello

I think both the table would have duplicate values which will give you improper results after joining both tables.
You can try something like this .

index=A number=RU status=SUBMITTED 
| stats count as submitted_count by x_requestid 
| join x_requestid 
    [ search index=A status=INELIGIBLE 
    | stats count as ineligible_count by request_id 
    | rename request_id as x_requestid]

let me know if this helps!

Reply

xiaohenry
Explorer
‎03-07-2018 09:37 AM

Just realized I had a mistake in my original search. Thanks!

0 Karma
Reply

anjambha
Communicator
‎03-06-2018 08:44 PM

Hi,

Try this.
index=A number=RU status=SUBMITTED | table x_requestid | join x_requestid [search index=A status=INELIGIBLE | rename request_id as x_requestid | table x_requestid]

Reply

anjambha
Communicator
‎03-06-2018 08:54 PM

Above search represent Left join so as per your requirement you can manipulate your search or change join type=[Left|outer] for more information refer splunk join command doc.

0 Karma
Reply

xiaohenry
Explorer
‎03-07-2018 09:06 AM

Just realized I had a mistake in my original search. This works too, thanks !

0 Karma
Reply

anjambha
Communicator
‎03-07-2018 09:21 AM

Can you share sample data.

Also try this..

index=A number=RU status=SUBMITTED | dedup x_requestid| table x_requestid | join x_requestid [search index=A status=INELIGIBLE | rename request_id as x_requestid | dedup x_requestid | table x_requestid]

Or

index=A status=INELIGIBLE | rename request_id as x_requestid | dedup x_requestid | table x_requestid | join x_requestid [search index=A number=RU status=SUBMITTED | dedup x_requestid| table x_requestid]

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...