I have a problem on splunk.
I have a sourcetype with my orders and a sourcetype with my customers.
I have a customer technical key in my customers table and in my orders table.
It is possible to simulate left join ? I have a lot of customers (more than 10 millions...) ... so it is not possible to use the join command.
Thanks in advance for your answers.
I would look at populating a lookup or kvstore with your customers and from that you can either do an automatic lookup, or use the data manually. Then you'll want to construct a search to regularly keep the lookup up-to-date. You could also potentially use the KVStore for this as well.
I concur with creating a lookup table from your customer data using a regularly scheduled search to keep the table current. Then configure the table for automatic lookup and your customer info will be added to each order event as it is processed.
KV store is a good approach, but if you cannot do it there is always
If your orders and costumers source types have a common field like
id you can to something like this:
sourcetype=orders OR sourcetype=costumers | stats values(orders) AS orders values(costumers) AS costumers by id
This is un-test since I don't have your data available, but you can read more about this topic here: https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo...