Splunk Search

Join between 2 source type with a lot of data

jbechchar
New Member

I everybody.

I have a problem on splunk.

I have a sourcetype with my orders and a sourcetype with my customers.

I have a customer technical key in my customers table and in my orders table.

It is possible to simulate left join ? I have a lot of customers (more than 10 millions...) ... so it is not possible to use the join command.

Thanks in advance for your answers.

Tags (1)
0 Karma

jbechchar
New Member

Thanks all for your answers.

It is possible to put a value in the _key field ? for Example my technical key...

I cannot see an exemple anywhere.

Thanks in advance.

0 Karma

curryRick
Explorer

I concur with creating a lookup table from your customer data using a regularly scheduled search to keep the table current. Then configure the table for automatic lookup and your customer info will be added to each order event as it is processed.

0 Karma

MuS
Legend

KV store is a good approach, but if you cannot do it there is always stats.
If your orders and costumers source types have a common field like id you can to something like this:

sourcetype=orders OR sourcetype=costumers | stats values(orders) AS orders values(costumers) AS costumers by id

This is un-test since I don't have your data available, but you can read more about this topic here: https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo...

cheers, MuS

Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...