Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

join two table

splunkpoornima
Communicator
‎10-19-2012 03:50 AM

hi all ,

after using the below search i got one table which has the transactional data as

source="aaa"|transaction TaskName startswith=START endswith=Succeeded|table TaskBP duration

TaskName duration

Task1 1.90

Task2 2.67

Task1 7.55

another table with Taskname and its average duration by using the below search

source="aaa"|transaction TaskName startswith=START endswith=Succeeded|stats avg(duration) by taskname |table taskname avg(duration)

i want to join these two searches so that my table will become as

Taskname duration avg(duration)

Task1 1.90 12.4

task2 2.67 5.9

Task1 7.55 12.4

i think of using the left outer join..plz help in writing the search

Tags (1)
0 Karma
Reply

shayhk
Explorer
‎12-17-2013 06:10 AM

hi,

I have the same problem

mysearchA | table field1 field2
| JOIN field1 [ mysearchB | table field1 field3]
| table field1 field2 field3

what is the mySearchA,mySearchB stands for ?
my data provider(file) is a host named XXX
when i am using a host=XXX in both of "mySearchA,B" expression i am getting an error

help needed
Thanks shay

Reply

yannK
Splunk Employee
Splunk Employee
‎12-17-2013 09:44 AM

You want that the searchA and searchB return a single line per field1, otherwise the join between the 2 lists will be wrong.

An example with a join between a list of users and the logins per server can be :
index=users username=* email=*
| stats values(email) AS email by username
| JOIN username
[
search index=servers login username=*
| stats values(host) AS server_login_list earliest(_time) AS recent_login earliest(host) AS recent_server by username
]
| table username email server_login_list recent_login recent_server

0 Karma
Reply

somesoni2
Revered Legend
‎12-17-2013 06:35 AM

try "source=XXX"

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-21-2012 08:21 AM

use a join on the common field

mysearchA | table field1 field2
| JOIN field1 [ mysearchB | table field1 field3]
| table field1 field2 field3

see http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join

Reply

Ayn
Legend
‎10-19-2012 04:24 AM

How is this different from the other question you had regarding adding an avg(duration) value to your search?

0 Karma
Reply
Get Updates on the Splunk Community!

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...

Announcing Our Splunk MVPs

We are excited to announce the first cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...