Solved: getting unjoined keys in a join

nottheboss · ‎04-23-2018

Hi,

I currently have 2 log.
log 1
id, some data
1, "abc"
2, "def"

log 2
id, some other data
1, "abc"
3, "ghi"

what i want is results that have keys that did not join.
results
2, "def"
3, "ghi"

i am able only to find ids that joined so i am trying to get the opposite, anyone can help me out on this?

somesoni2 · ‎04-23-2018

I would use append-stats combination instead of join command, like this

your search 1 giving fields id and someField
| eval from="search1"
| append [search your search 2 giving fields id and someField
| eval from="search2"]
| stats dc(from) as sources by id someField
| where source=1 | fields - sources

View solution in original post

somesoni2 · ‎04-23-2018

I would use append-stats combination instead of join command, like this

your search 1 giving fields id and someField
| eval from="search1"
| append [search your search 2 giving fields id and someField
| eval from="search2"]
| stats dc(from) as sources by id someField
| where source=1 | fields - sources

getting unjoined keys in a join

Alpha Launch: AI-Assisted Auto-Schematization for CIM

Enterprise Security(ES) Essentials or Premier? Let's discuss Splunk ES Editions on ...

[Puzzles] Solve, Learn, Repeat: Advent of Code - Day 5

Join the Conversation

getting unjoined keys in a join

Alpha Launch: AI-Assisted Auto-Schematization for CIM

Enterprise Security(ES) Essentials or Premier? Let's discuss Splunk ES Editions on ...

[Puzzles] Solve, Learn, Repeat: Advent of Code - Day 5