Solved: What is the right way to Join?

rochapablo · ‎08-05-2015

I've been searching how to join, but every example that I apply seems to be wrong.

I've got referents type of log:

app=my_app_name INFO controller=MyController method=myMethod transaction=999
app=my_app_name INFO controller=MyOtherController transaction_id=999
app=my_app_name INFO controller=CheckoutController params[transaction_id]=999

As you can see, I always have the transaction id in different keys.

So I'm trying to join like this:

index=my_app_name | join "params[transaction_id]" [ search  index=my_app_name transaction_id ] | fields controller

But like i said, it seems not to be working, because I've always got some result rows that don't make sense, like:

app=my_app_name INFO controller=CheckoutController order_id=99

woodcock · ‎08-05-2015

Try this:

... | rex "params\[transaction_id\]=(?<transaction_id>\d+)" | stats values(*) AS * by transaction_id

View solution in original post

martin_mueller · ‎08-05-2015

Here's a pretty good writeup to get you started on not joining at all: http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi...

woodcock · ‎08-05-2015

Try this:

... | rex "params\[transaction_id\]=(?<transaction_id>\d+)" | stats values(*) AS * by transaction_id

What is the right way to Join?

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform