Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using stats to join data instead of transaction

Kupo
Engager
‎02-17-2021 11:25 AM

I have two sources that have a common field (user) and am currently using transaction to join the user_a with the source_b_field. This query works fine.

 

index=index_a (sourcetype=source_a OR sourcetype=source_b)
| transaction startswith="string_start" endswith="string_end" maxspan=1s maxevents=2
| where (user_a = user_b)
| stats count by user_a, source_b_field

 

I figured it would be easy enough to use stats instead to increase execution efficiency  but I can't seem to get it quite right. The issue is that I need a left/inner join instead of a full join as I am only looking for users from source_a.

Here is the stats query that essentially just returns data from source_b as source_a is a subset of source_b.

 

index=index_a (sourcetype=source_a OR sourcetype=source_b)
| user_a=if(sourcetype=="source_b",user_b,user_a)
| stats count by user_a, source_b_field

 

Is there a way to join user_a with source_b_field via stats? I feel that I am missing something obvious.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎02-17-2021 11:46 AM

Hi

I think that this explanation will help you?

https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-joi...

r. Ismo

Reply
Solved! Jump to solution

Kupo
Engager
‎02-17-2021 12:40 PM

This is amazing, I have been searching for something like this for awhile. I really appreciate it.

Here is the solution that worked for my use case

index=index_a (sourcetype=source_a OR sourcetype=source_b)
| user_a=if(sourcetype=="source_b",user_b,user_a)
| stats dc(sourcetype) as sourcetypeCount values(source_b_field) by user_a
| where sourcetypeCount = 2
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...