Re: Missing data when joining two larger sourcetyp...

yashaswinig2210 · ‎12-23-2020

Im trying to join two tables which have a common field but its not giving complete data as the tables have more than a lakh rows .? Is there any other option rather than join to combine the two tables

scelikok · ‎12-23-2020

@yashaswinig2210, if I get it right try below;

| inputlookup firstLookup | append [ |inputlookup secondLookup ] 
| stats values(field1) values(field2) by common_field

If this reply helps you an upvote and "Accept as Solution" is appreciated.

scelikok · ‎12-23-2020

Hi @yashaswinig2210, on most cases you can use stats rather than join.

Sample query;

| (index=first_index search_criteria_1) OR (index=second_index search_criteria_2)
| stats values(field1) values(field2) by common_field

You can get more information about join vs stats in below document.

https://docs.splunk.com/Documentation/Splunk/8.1.1/Search/Abouteventcorrelation

If this reply helps you, an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

yashaswinig2210 · ‎12-23-2020

@scelikok

it didnt work for my sourcetype , can use the same stats with lookups?

Missing data when joining two larger sourcetypes which have more than a lakh rows

join

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes