Solved: getting unjoined keys in a join

nottheboss · ‎04-23-2018

Hi,

I currently have 2 log.
log 1
id, some data
1, "abc"
2, "def"

log 2
id, some other data
1, "abc"
3, "ghi"

what i want is results that have keys that did not join.
results
2, "def"
3, "ghi"

i am able only to find ids that joined so i am trying to get the opposite, anyone can help me out on this?

somesoni2 · ‎04-23-2018

I would use append-stats combination instead of join command, like this

your search 1 giving fields id and someField
| eval from="search1"
| append [search your search 2 giving fields id and someField
| eval from="search2"]
| stats dc(from) as sources by id someField
| where source=1 | fields - sources

View solution in original post

somesoni2 · ‎04-23-2018

I would use append-stats combination instead of join command, like this

your search 1 giving fields id and someField
| eval from="search1"
| append [search your search 2 giving fields id and someField
| eval from="search2"]
| stats dc(from) as sources by id someField
| where source=1 | fields - sources

getting unjoined keys in a join

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...