Re: Joining Data

jimjohn · ‎03-05-2014

Hi

HostA contains employer_code like (A,B,C,D,E,F,G)
HostB contains ER Code like (A,A,B,D,D)

I am trying to join 2 data sources with below query.
host=HostA|join employer_code [search host=HostB| eval "ER Code"=employer_code]

I am not getting result like inner join in SQL.
Can anybody help.Is there any other way to solve this issue rather than join?
Can we achieve this by sub search?

wpreston · ‎03-05-2014

Try something like this:

host=HostA OR host=HostB ... rest of your search string...
| eval employer_code=if(host="HostB",ErID,employer_code)
| stats avg(field1) count(field2) by employer_code

Join may not be necessary in Splunk and is often an expensive operation. Does this get you closer to what you need?

MuS · ‎03-05-2014

or use Splunk DB connect and run the SQL statment as

| dbquery database your SQLfu

if you are more comfortable with SQL

jimjohn · ‎03-05-2014

i need to convert above SQL to splunk serarch

jimjohn · ‎03-05-2014

My SQL will be like this.

select avg(a.field1),count(b.field2)
from HostA a
join HostB b on a.empId=b.ErID
group by a.field,b.field2;

martin_mueller · ‎03-05-2014

What's your actual use case?

Working off an existing search only is often futile for finding the best approach.

Joining Data

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)