Solved: getting unjoined keys in a join

nottheboss · ‎04-23-2018

Hi,

I currently have 2 log.
log 1
id, some data
1, "abc"
2, "def"

log 2
id, some other data
1, "abc"
3, "ghi"

what i want is results that have keys that did not join.
results
2, "def"
3, "ghi"

i am able only to find ids that joined so i am trying to get the opposite, anyone can help me out on this?

somesoni2 · ‎04-23-2018

I would use append-stats combination instead of join command, like this

your search 1 giving fields id and someField
| eval from="search1"
| append [search your search 2 giving fields id and someField
| eval from="search2"]
| stats dc(from) as sources by id someField
| where source=1 | fields - sources

View solution in original post

somesoni2 · ‎04-23-2018

I would use append-stats combination instead of join command, like this

your search 1 giving fields id and someField
| eval from="search1"
| append [search your search 2 giving fields id and someField
| eval from="search2"]
| stats dc(from) as sources by id someField
| where source=1 | fields - sources

getting unjoined keys in a join

OpenTelemetry for Legacy Apps? Yes, You Can!

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

.conf25 Community Recap

Are you a member of the Splunk Community?

getting unjoined keys in a join

OpenTelemetry for Legacy Apps? Yes, You Can!

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

.conf25 Community Recap