Solved: Re: Joining two searches

soumidutta · ‎10-27-2018

Hi ,

I want to join two searches without using Join command ?
I don't want to use join command for optimization issue.
Index name is same for both the searches but i was using different aggregate functions with the search .

iamarkaprabha · ‎10-27-2018

Hi ,

You can use the same search for these optimization issue.
I prefer to write it like this.

index=indexname 
| stats dc(yourfield) count(eval(anotherfield=fieldvalue)) by other field names

View solution in original post

iamarkaprabha · ‎10-27-2018

Hi ,

You can use the same search for these optimization issue.
I prefer to write it like this.

index=indexname 
| stats dc(yourfield) count(eval(anotherfield=fieldvalue)) by other field names

soumidutta · ‎10-27-2018

Thanks, I was looking for this one

iamarkaprabha · ‎10-27-2018

Hi ,

If i am able to answer your query , Can you please mark this answer as accepted ?

renjith_nair · ‎10-27-2018

@soumidutta,

Would it be possible to provide more details ? Do you have a common field in both searches? Or how do you want to join them? How are the events look like and what's your expected output?

Happy Splunking!

Joining two searches

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk