Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Recurring JOIN

tlmayes
Contributor
‎08-04-2021 02:30 PM

I have an index1/source1/sourcetype1 of events that is several "million" records each day. 
I have a second index1/source1/sourcetype2 that is several hundred records each day

Several times a day I must execute a JOIN command to associate (1) sourcetype1 field with (1) sourcetype2 field, with each run of the query covering the last 2 weeks.  The associations between query1 and query2 change or are updated with each run.  The output is not static (changes with each run), which means the output of the last query is no longer valid since the data in query2 changes. 

Is there a better way to address this?  KB or Lookup won't work since the output of query2 changes the outcome, and saving the output of query1 is not practical (millions of events)

index=index1 sourcetype=sourcetype1 field=common
| join common
[ search index=index1 sourcetype=sourcetype2 field=common field=changing]
| table common, changing, field3, field4, field5, ......

Labels (1)
Labels
Tags (1)
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎08-04-2021 04:46 PM

Hi @tlmayes 

You can use stats,

index=idx1 source=source1 sourcetype=st1 OR sourcetype=st2 | stats aggregate_functions by your_common_field_names.

 

0 Karma
Reply

tlmayes
Contributor
‎08-04-2021 05:58 PM

Somewhat faster, but shows only the fields of the first sourcetype, never the second, using:

index=idx1 source=source1 sourcetype=st1 OR sourcetype=st2 | stats count values(common_field) as common_field by field1, field2, field3, etc...

In this example, field1 is in st2, common_field in both, and all other fields in st1.  

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...