Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Join fields from 2 searches without join

jtg1703
New Member
‎10-24-2019 11:36 AM

Hi, I need some help with a little issue, I have 2 sorcetypes like this:

SOURCETYPE A:

ID_1 | DESCRIPCION
1 | RED
2 | BLUE
3 | GREEN
4 | YELLOW
5 | ORANGE

SOURCETYPE B:

ID_1 |ISSUE
1 |A
1 |B
1 |B
3 |B
4 |C

I try to find how many ID's have a issue B, the result be like this:

RED 2
GREEN 1

Currently my search use join clause, but it's very slow and i try to find the better way to do this,

someone could help me?
Regards,
J

Tags (1)
0 Karma
Reply

aberkow
Builder
‎10-24-2019 12:57 PM

You can definitely use the suggestion above about creating a lookup, and then using the lookup command like this:

| lookup csvName.csv ID_1 OUTPUT ISSUE, and then you can run aggregations on that ISSUE field (the ID_1 is the joining field)

You can use a stats command as well, but it's a bit difficult to understand what is the most ideal given the data you've given and you'd have to do a bit more fanciness with the fields. If you're just looking for instances of B, you can filter your second sourcetype to that in the base search and then run a command like this:

base search filtering to only B logs
| stats count(ISSUE) as issueCount, values(DESCRIPTION) as description by ID_1

Let me know if this is helpful/you have any other questions

0 Karma
Reply

tiagofbmm
Influencer
‎10-24-2019 12:48 PM

Seems you have material to build a static lookup. Your sourcetype A that has the description can be outputed to a lookups that you can use to enrich your stats on sourcetype B

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...