Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Join only giving fields from one of the two sourcetypes

asarolkar
Builder
‎01-21-2013 10:55 AM

All,

I have a join on the two sourcetypes setup like this ->

sourcetype="alog" -> id_number

sourcetype="blog" -> id

This is what my join looks like 

sourcetype="alog" id_number=* | eval id=id_number | join id[ search sourcetype="blog" id=*| fields id]





For some reason, this join is only giving me results/fields that belong to alog.
What if I want the join to also give me all fields from blog whereever there was a match ?

I thought Splunk supported outer joins.

Any clues ?

Tags (3)
0 Karma
Reply

jonuwz
Influencer
‎01-21-2013 01:55 PM

You need to specify join type=outer

docs

Update

Just noticed - the only field you're returning from the subsearch is id : fields id

So the only fields you'll see will come from the main search.

Don't limit the fields in the subsearch

0 Karma
Reply

asarolkar
Builder
‎01-21-2013 02:07 PM

that did not seem to do the trick.

It still gave me only everything on the left that matched.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...