Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Joining data

jimjohn
Path Finder
‎03-10-2014 07:03 AM

Hi All,
This is a repeated question.I am posting it again because I cant find a solution.

I have 2 data sets which contain a common data.(Columns names are different in 2 data set).
Ex:
Data1 Data2
EmpId EId
Name Visit
Age
EmpId and EId are columns I want to join.
In Data1 and Data2 have one to many relations.
Both of this data set will be loaded in splunk on daily basis.So I want to join them and show the result on a day by basis (like timechart does).
Ie I want to join today's Data1 with today's Data2.

I tired below things but both of them doesn't work out.

1)host=Data1 OR Data2| eval employerCode = if(host="Data1","EId", employer_code) |transaction employerCode maxspan=1d

2)host=Data1|join EmpId [search host=Data2 | eval "EId"=EmpId]|eventstats .....

can anybody help me?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-10-2014 07:23 AM

Try 'host=Data1 | rename EmpId AS employerCode | join employerCode [search host=Data2 | rename EId AS employerCode ... '. Of course, this means any downstream use of EmpId or EId will have to use employerCode instead.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-12-2014 07:48 AM

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jimjohn
Path Finder
‎03-10-2014 10:49 PM

Thanks man...It works out....

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...