Splunk Search

Replace join with stats to merge events based on common field

eddiet
Explorer

My datasets are much larger but these represent the crux of my hurdle

sourcetype=sale_by
fields: sid, user

sourcetype=sale_made
fields: sid, amount

Where: sale_made.sid = sale_by.sid

I have this search that works:

sourcetype=sale_by  | join sid [ search sourcetype=sale_made ] | stats sum(amount)  by user

Can this be done more efficiently with stats?

1 Solution

MuS
Legend

Hi eddiet,

Sure, try this:

 sourcetype=sale_by OR sourcetype=sale_made 
| stats values(user) AS user sum(amount) AS amount by sid 
| stats values(amount) AS amount by user

This is not tested and also depends on your events and the expected result, but it should give you an idea how it can be done.
You can read this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... to learn more about this topic.

Hope this helps ...

cheers, MuS

View solution in original post

woodcock
Esteemed Legend

Try this:

sourcetype=sale_by OR sourcetype=sale_made
| stats values(user) AS user sum(amount) as amount BY sid
| stats sum(amount) as amount BY user

MuS
Legend

Hi eddiet,

Sure, try this:

 sourcetype=sale_by OR sourcetype=sale_made 
| stats values(user) AS user sum(amount) AS amount by sid 
| stats values(amount) AS amount by user

This is not tested and also depends on your events and the expected result, but it should give you an idea how it can be done.
You can read this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... to learn more about this topic.

Hope this helps ...

cheers, MuS

woodcock
Esteemed Legend

Wow, almost a jinx!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...