Splunk Search

Join between 2 source type with a lot of data

New Member

I everybody.

I have a problem on splunk.

I have a sourcetype with my orders and a sourcetype with my customers.

I have a customer technical key in my customers table and in my orders table.

It is possible to simulate left join ? I have a lot of customers (more than 10 millions...) ... so it is not possible to use the join command.

Thanks in advance for your answers.

Tags (1)
0 Karma

New Member

Thanks all for your answers.

It is possible to put a value in the _key field ? for Example my technical key...

I cannot see an exemple anywhere.

Thanks in advance.

0 Karma


I concur with creating a lookup table from your customer data using a regularly scheduled search to keep the table current. Then configure the table for automatic lookup and your customer info will be added to each order event as it is processed.

0 Karma


KV store is a good approach, but if you cannot do it there is always stats.
If your orders and costumers source types have a common field like id you can to something like this:

sourcetype=orders OR sourcetype=costumers | stats values(orders) AS orders values(costumers) AS costumers by id

This is un-test since I don't have your data available, but you can read more about this topic here: https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo...

cheers, MuS

Get Updates on the Splunk Community!

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options A recent Tech Talk, ...

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...