Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Missing data when joining two larger sourcetypes which have more than a lakh rows

yashaswinig2210
Engager
‎12-23-2020 03:04 AM

Hi @renjith_nair 

Im trying to join two tables which have a common field but its not giving complete data as the tables have more than a lakh rows .? Is there any other option rather than join to combine the two tables

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-23-2020 05:47 AM

@yashaswinig2210, if I get it right try below;

| inputlookup firstLookup | append [ |inputlookup secondLookup ] 
| stats values(field1) values(field2) by common_field
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-23-2020 03:48 AM

Hi @yashaswinig2210, on most cases you can use stats rather than join.

Sample query;

| (index=first_index search_criteria_1) OR (index=second_index search_criteria_2)
| stats values(field1) values(field2) by common_field

You can get more information about join vs stats in below document.

https://docs.splunk.com/Documentation/Splunk/8.1.1/Search/Abouteventcorrelation

 

If this reply helps you, an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

yashaswinig2210
Engager
‎12-23-2020 04:27 AM

@scelikok 

it didnt work for my sourcetype , can use the same stats with lookups?

 

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...