Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Join Command not working as expected

punyanit
Path Finder
‎05-11-2020 02:13 PM

Hello everyone,

I am trying to join using "Table" as common field, here is my query.

index=prod source=A
| stats count by PROD TABLENAME_PROD Partition_Column_PROD INI_TRANS_PROD Table Column Trans
| sort TABLENAME_PROD
| join type=left Table
[ search index=preprod source=B
| stats count by CAP TABLENAME_CAP Partition_Column_CAP INI_TRANS_CAP Table Column Trans
|sort TABLENAME_CAP
]
| table Partition_Column_PROD Partition_Column_CAP

The values that i am getting here is not matching to those if i run both commands separately and join there output manually(keeping Table as common field)

I.e values of Partition_Column_CAP,Partition_Column_PROD , of this query should match with values of Partition_Column_CAP , Partition_Column_PROD which i will get if i would run these queries separately .

original Output of above query
Partition_Column_PROD Partition_Column_CAP
(ACS_ID, ACS_ID) (ACS_ID)
(ADDR_ID, ADDR_ID) (ADDR_ID)
(CITY, CITY, ADDR_ID, ADDR_ID) (ADDR_ID)
(ALFRESCO_MSTR_REC_ID) (ALFRESCO_MSTR_REC_ID)
(APPL_ID, APPL_ID) (APPL_ID)
(ACS_METHD_ID, ACS_METHD_ID) (ACS_METHD_ID)
(APPL_CMPNT_ID, APPL_CMPNT_ID) (APPL_CMPNT_ID)
(CMPNT_TYP_ID, CMPNT_TYP_ID) (APPL_CMPNT_ID)

Expected output

Partition_Column_PROD Partition_Column_CAP
(ACS_ID, ACS_ID) (ACS_ID)
(ADDR_ID, ADDR_ID) (ADDR_ID)
(CITY, CITY, ADDR_ID, ADDR_ID) (CITY, ADDR_ID)
(ALFRESCO_MSTR_REC_ID) (ALFRESCO_MSTR_REC_ID)
(APPL_ID, APPL_ID) (APPL_ID)
(ACS_METHD_ID, ACS_METHD_ID) (ACS_METHD_ID)
(APPL_CMPNT_ID, APPL_CMPNT_ID) (APPL_CMPNT_ID)
(CMPNT_TYP_ID, CMPNT_TYP_ID) (CMPNT_TYP_ID)

In above results Partition_Column_PROD and Partition_Column_CAP are from both searches(search and sub search) which is joined manually.

There are no repetitive values for the second part of search query ,for ex the field Partition_Column_CAP has these 3 different values
(ACS_ID) , (ADDR_ID) ,(CITY, ADDR_ID) and each event has unique value

now when i add this second part of search query to the join command i start seeing repetitive values for the same mentioned
field mentioned above, which should not be the case

Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-11-2020 11:42 PM

Hi @punyanit,
only one question: if you run the second search (the subsearch) separately, how many results do you have?
because there's the limit of 50,000 results in subsearches, so, maybe this is your problem.
For this reson you should try to use a different approach (stats command) instead join that's in addition a very slow command.
Something like this:

(index=prod source=A) OR (index=preprod source=B)
| eval PROD=coalesce(PROD,CAP), TABLENAME_PROD=coalesce(TABLENAME_PROD,TABLENAME_CAP),  Partition_Column_PROD=coalesce(Partition_Column_PROD,Partition_Column_CAP), INI_TRANS_PROD=coalesce(INI_TRANS_PROD,INI_TRANS_CAP)
| stats count by PROD TABLENAME_PROD Partition_Column_PROD INI_TRANS_PROD Table Column Trans
| sort TABLENAME_PROD

Ciao.
Giuseppe

0 Karma
Reply

punyanit
Path Finder
‎05-12-2020 01:36 AM

@gcusello thank you for effort, my subsearch is returning only 315 results in last 24hrs

0 Karma
Reply

to4kawa
Ultra Champion
‎05-11-2020 02:38 PM

what's the difference.

0 Karma
Reply

punyanit
Path Finder
‎05-13-2020 03:57 AM

@to4kawa i have that in my question now

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...