Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Joining indexes once again

kp_pl
Path Finder
‎06-25-2024 03:00 AM


Still it find me difficult to understand logic of joining two indexes. Below the query which is almost suits my needs ... ALMOST

index="odp" OR index="oap" txt2="ibum_p"
| rename e as c_e
| eval c_e = mvindex(split(c_e, ","), 0)
| stats values(*) by c_e

line 1 - two indexes joined and one of them filtered ( to create OneToOne relation).
line 2&3 - rename and modification of key column in second index to make it identical as in the first index
line 4 - show all columns

Result contains 400 records - same as each index separately.
But result shows only columns from second index . I supposed values(*) means all columns from all indexes. I tried to type each column separately but it does not change anything - still columns from first index are empty - WHY??

If I succeed this milestone 😉  I will start aggregations

 


Any hints ?

Labels (2)
Labels
0 Karma
Reply

kp_pl
Path Finder
‎06-25-2024 08:09 AM

Guys

thanks for valuables hints and posts.
This time I managed to do it by myself.  here is my new, working query:

index="odp" OR index="oap" txt2="ibum_p"
| eval c_e = mvindex(split(c_e,","),0)
| eval c_e=coalesce(c_e,e)  
| stats values(*) by c_e


So critical in my case was renaming field.  Instead of rename I use coalesce and it helped.  Stats now returns values from both indexes.

K.

 


 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-25-2024 05:58 AM
@kp_pl wrote:

index="odp" OR index="oap" txt2="ibum_p"
| rename e as c_e
| eval c_e = mvindex(split(c_e, ","), 0)
| stats values(*) by c_e

line 1 - two indexes joined and one of them filtered ( to create OneToOne relation).

To clarify, line 1 does *not* join the indexes nor does it create a one-to-one relation.

The OR operator tells the search peers to select all events from the odp index and the events in the oap index where the txt2 field has the specified value.  No relationship between the two indexes is made or implied and none should be inferred.

To create a relationship, use the join (not preferred), transaction (also not preferred), or stats (preferred) command to associate the events by common fields, as in line 4.

---
If this reply helps you, Karma would be appreciated.
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-25-2024 05:13 AM

Please some anonymised sample events from both indexes and a description of what it is you are trying to achieve, and some expected output.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...