Solved: getting unjoined keys in a join

nottheboss · ‎04-23-2018

Hi,

I currently have 2 log.
log 1
id, some data
1, "abc"
2, "def"

log 2
id, some other data
1, "abc"
3, "ghi"

what i want is results that have keys that did not join.
results
2, "def"
3, "ghi"

i am able only to find ids that joined so i am trying to get the opposite, anyone can help me out on this?

somesoni2 · ‎04-23-2018

I would use append-stats combination instead of join command, like this

your search 1 giving fields id and someField
| eval from="search1"
| append [search your search 2 giving fields id and someField
| eval from="search2"]
| stats dc(from) as sources by id someField
| where source=1 | fields - sources

View solution in original post

somesoni2 · ‎04-23-2018

I would use append-stats combination instead of join command, like this

your search 1 giving fields id and someField
| eval from="search1"
| append [search your search 2 giving fields id and someField
| eval from="search2"]
| stats dc(from) as sources by id someField
| where source=1 | fields - sources

getting unjoined keys in a join

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation