Solved: Splunk search string (without using JOIN)

Nicholas_Key · ‎03-23-2012

How does the 'optimized' splunk search string (without using JOIN) looks like for the following search string?

SELECT column_name(s)
FROM table_name1
INNER JOIN table_name2
ON table_name1.column_name=table_name2.column_name

gkanapathy · ‎03-23-2012

sourcetype=table_name1 [ search sourcetype=table_name2 | return 10000 column_name ] | fields column_name(s)

which works very well if there are fewer than 10000 distinct column_name values in table_name2, or generally when table_name2 is quite a bit smaller than table_name1.

Depending on the sizes of table_name1, table_name1, and the resulting join, there may be better optimizations, but the above is rather common.

View solution in original post

gkanapathy · ‎03-23-2012

sourcetype=table_name1 [ search sourcetype=table_name2 | return 10000 column_name ] | fields column_name(s)

which works very well if there are fewer than 10000 distinct column_name values in table_name2, or generally when table_name2 is quite a bit smaller than table_name1.

Depending on the sizes of table_name1, table_name1, and the resulting join, there may be better optimizations, but the above is rather common.

Splunk search string (without using JOIN)

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Announcing Modern Navigation: A New Era of Splunk User Experience

Casting Call: Compete in Cyber Games

Join the Conversation