Re: SPL search query to combine two tables

MikeJu25 · ‎06-30-2021

Hi,

I have database table and anomaly table. Both tables have a field database_id. Now I am interested in the status and confidence fields in anomaly table as well as data_source and ip fields in database table. I want to combine them into one table based on the database_id. I tried some queries like below but its result was not as expected.

index=anomalies | JOIN type=left database_id [SEARCH index=assets] | fields anomaly_id, confidence, current_status, database_id, source_type, ip

How could I write a query that returns a table showing the info for all anomalies as well as the database info related to that anomaly using database_id as a bridge?

Thank you in advance!

Regards,

ITWhisperer · ‎06-30-2021

In what way were they not as expected?

MikeJu25 · ‎07-05-2021

Seems like it works for now! Thank you!

SPL search query to combine two tables

field extraction

join

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation