Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Missing data when joining two larger sourcetypes which have more than a lakh rows

yashaswinig2210
Engager
‎12-23-2020 03:04 AM

Hi @renjith_nair 

Im trying to join two tables which have a common field but its not giving complete data as the tables have more than a lakh rows .? Is there any other option rather than join to combine the two tables

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-23-2020 05:47 AM

@yashaswinig2210, if I get it right try below;

| inputlookup firstLookup | append [ |inputlookup secondLookup ] 
| stats values(field1) values(field2) by common_field
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-23-2020 03:48 AM

Hi @yashaswinig2210, on most cases you can use stats rather than join.

Sample query;

| (index=first_index search_criteria_1) OR (index=second_index search_criteria_2)
| stats values(field1) values(field2) by common_field

You can get more information about join vs stats in below document.

https://docs.splunk.com/Documentation/Splunk/8.1.1/Search/Abouteventcorrelation

 

If this reply helps you, an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

yashaswinig2210
Engager
‎12-23-2020 04:27 AM

@scelikok 

it didnt work for my sourcetype , can use the same stats with lookups?

 

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...