Solved: Replace join with stats to merge events based on c...

eddiet · ‎09-07-2017

My datasets are much larger but these represent the crux of my hurdle

sourcetype=sale_by
fields: sid, user

sourcetype=sale_made
fields: sid, amount

Where: sale_made.sid = sale_by.sid

I have this search that works:

sourcetype=sale_by  | join sid [ search sourcetype=sale_made ] | stats sum(amount)  by user

Can this be done more efficiently with stats?

MuS · ‎09-07-2017

Hi eddiet,

Sure, try this:

 sourcetype=sale_by OR sourcetype=sale_made 
| stats values(user) AS user sum(amount) AS amount by sid 
| stats values(amount) AS amount by user

This is not tested and also depends on your events and the expected result, but it should give you an idea how it can be done.
You can read this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... to learn more about this topic.

Hope this helps ...

cheers, MuS

woodcock · ‎09-07-2017

Try this:

sourcetype=sale_by OR sourcetype=sale_made
| stats values(user) AS user sum(amount) as amount BY sid
| stats sum(amount) as amount BY user

MuS · ‎09-07-2017

Hi eddiet,

Sure, try this:

 sourcetype=sale_by OR sourcetype=sale_made 
| stats values(user) AS user sum(amount) AS amount by sid 
| stats values(amount) AS amount by user

This is not tested and also depends on your events and the expected result, but it should give you an idea how it can be done.
You can read this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... to learn more about this topic.

Hope this helps ...

cheers, MuS

woodcock · ‎09-07-2017

Wow, almost a jinx!

Replace join with stats to merge events based on common field