Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Joining indexes once again

kp_pl
Path Finder
‎06-25-2024 03:00 AM


Still it find me difficult to understand logic of joining two indexes. Below the query which is almost suits my needs ... ALMOST

index="odp" OR index="oap" txt2="ibum_p"
| rename e as c_e
| eval c_e = mvindex(split(c_e, ","), 0)
| stats values(*) by c_e

line 1 - two indexes joined and one of them filtered ( to create OneToOne relation).
line 2&3 - rename and modification of key column in second index to make it identical as in the first index
line 4 - show all columns

Result contains 400 records - same as each index separately.
But result shows only columns from second index . I supposed values(*) means all columns from all indexes. I tried to type each column separately but it does not change anything - still columns from first index are empty - WHY??

If I succeed this milestone 😉  I will start aggregations

 


Any hints ?

Labels (2)
Labels
0 Karma
Reply

kp_pl
Path Finder
‎06-25-2024 08:09 AM

Guys

thanks for valuables hints and posts.
This time I managed to do it by myself.  here is my new, working query:

index="odp" OR index="oap" txt2="ibum_p"
| eval c_e = mvindex(split(c_e,","),0)
| eval c_e=coalesce(c_e,e)  
| stats values(*) by c_e


So critical in my case was renaming field.  Instead of rename I use coalesce and it helped.  Stats now returns values from both indexes.

K.

 


 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-25-2024 05:58 AM
@kp_pl wrote:

index="odp" OR index="oap" txt2="ibum_p"
| rename e as c_e
| eval c_e = mvindex(split(c_e, ","), 0)
| stats values(*) by c_e

line 1 - two indexes joined and one of them filtered ( to create OneToOne relation).

To clarify, line 1 does *not* join the indexes nor does it create a one-to-one relation.

The OR operator tells the search peers to select all events from the odp index and the events in the oap index where the txt2 field has the specified value.  No relationship between the two indexes is made or implied and none should be inferred.

To create a relationship, use the join (not preferred), transaction (also not preferred), or stats (preferred) command to associate the events by common fields, as in line 4.

---
If this reply helps you, Karma would be appreciated.
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-25-2024 05:13 AM

Please some anonymised sample events from both indexes and a description of what it is you are trying to achieve, and some expected output.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...