I have 2 indexes [customer_id, datetime] and [customerid, dateof_creation, motive] with a common field "customer_id". I would like to perform a join of my indexes on this fields knowing that the values in each indexe can be non unique.
As I don't want to use the function Join of Splunk because of its limits, I use Eventstats instead. But the problem is that for the non unique values, I get multivalue fields concerning datetime, dateofcreation and motive.
How could I proceed to get the same result as a join would do (without using Join !) ?
Thanks in advance ! 😄
Have you tried
index=index1 OR index=index2 customer_id=* | stats values(datetime) as datetime values(date_of_creation) as date_of_creation values(motive) as motive by customer_id | ...
@kcollori - Can you explain how this differs from (or adds requirements to) your use case in this question? https://answers.splunk.com/answers/578302/how-to-join-2-indexes-by-common-field-respective-t.html#an...
When trying to connect something that is non-unique, you have to create uniqueness by a time limit or some other unique characteristic. That generally is going to require
streamstats rather than
sort 0so you don't lose any),
eventstatsis useful right here to collect remaining information together ...