i have two indexes i have Sid common in both
i want to display Sid and Did in a table. Please help me with join condtion.
index=index2 sid=* | join type=left sid [search index=index1 sid=* | fields sid ] | table sid did
This assumes index2 has sid & did, and index1 has just sid
Basically mirror your image and follow the docs: http://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/SearchReference/Join
View solution in original post
How about this? (will keep events with sid common and sid only in index=B, the right outer join)
index=A OR index=B | stats value(did) as did values(index) as indexes by sid | where isnotnull(mvfind(indexes,"B"))
Is there a common field between those two indexes? If I understand correctly you're trying to get what a SQL right outer join will give, is it correct?
Sid is a common field. Yes, it is similar like SQL Right join .
index=index2 sid=* | join type=left sid [search index=index1 sid=* ] | table sid did
this is working
