Solved: Join Statment

hartfoml · ‎01-18-2013

OK the last question might have bee to hard for the group. So try this one.

I am using the join statement like this "search1 | join id [search2]"

In the primary search and in the sub-search there is a field called "id" but they do not always match.

I want to join on the field "search1 id=*" to "search2 key=*". "ID" and "KEY" always match.

I tried this but it did not work "search1 | join id:key [search2]"

I tried this but it did not work "search1 | join id,key [search2]"

I tried this to see if it would auto join, no luck "search1 | join [search2]"

Any help would be great.

jonuwz · ‎01-18-2013

Sounds like you just need to abstract the different fields into something common you can join on

... | search1 | eval join_field=id | join join_field [ search2 | eval join_field=key ]

View solution in original post

jonuwz · ‎01-18-2013

Sounds like you just need to abstract the different fields into something common you can join on

... | search1 | eval join_field=id | join join_field [ search2 | eval join_field=key ]

fflloovee · ‎05-08-2014

"eval join_field=id" Can i change id to field name because i have many id and want to join by id
i try to use "join type=left ID" and some value are missing(i search each value and see there refernce with id but still missing)

hartfoml · ‎01-18-2013

you have done it again twice in one day 🙂

Join Statment

Index This | Divide 100 by half. What do you get?

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Splunk and Fraud