Re: Join behaving weird

akshaybahetii · ‎12-03-2014

The two queries I believe are similar but still i get very different number of results. I have changed the subsearch and join maxout in limits.conf. "productId" is the only common filed across both tables

sourcetype=all_review earliest=01/01/2012:0:0:0 latest=12/31/2012:23:59:59
| JOIN type=inner productId [SEARCH sourcetype=categories] | where pCategory="Movies"
18000 results returned

sourcetype=all_review earliest=01/01/2012:0:0:0 latest=12/31/2012:23:59:59
| JOIN type=inner productId [SEARCH sourcetype=categories pCategory="Movies"]
221,123 results returned.

I feel a subsearch/join maxout is hard coded in splunk. I need to find a alternative to join here.

MuS · ‎12-04-2014

Hi akshaybahetii,

here you have (not an alternative to join but...) the better option for most of the use cases http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi...

cheers, MuS

Join behaving weird

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation