Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

join two table

splunkpoornima
Communicator
‎10-19-2012 03:50 AM

hi all ,

after using the below search i got one table which has the transactional data as

source="aaa"|transaction TaskName startswith=START endswith=Succeeded|table TaskBP duration

TaskName duration

Task1 1.90

Task2 2.67

Task1 7.55

another table with Taskname and its average duration by using the below search

source="aaa"|transaction TaskName startswith=START endswith=Succeeded|stats avg(duration) by taskname |table taskname avg(duration)

i want to join these two searches so that my table will become as

Taskname duration avg(duration)

Task1 1.90 12.4

task2 2.67 5.9

Task1 7.55 12.4

i think of using the left outer join..plz help in writing the search

Tags (1)
0 Karma
Reply

shayhk
Explorer
‎12-17-2013 06:10 AM

hi,

I have the same problem

mysearchA | table field1 field2
| JOIN field1 [ mysearchB | table field1 field3]
| table field1 field2 field3

what is the mySearchA,mySearchB stands for ?
my data provider(file) is a host named XXX
when i am using a host=XXX in both of "mySearchA,B" expression i am getting an error

help needed
Thanks shay

Reply

yannK
Splunk Employee
Splunk Employee
‎12-17-2013 09:44 AM

You want that the searchA and searchB return a single line per field1, otherwise the join between the 2 lists will be wrong.

An example with a join between a list of users and the logins per server can be :
index=users username=* email=*
| stats values(email) AS email by username
| JOIN username
[
search index=servers login username=*
| stats values(host) AS server_login_list earliest(_time) AS recent_login earliest(host) AS recent_server by username
]
| table username email server_login_list recent_login recent_server

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎12-17-2013 06:35 AM

try "source=XXX"

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-21-2012 08:21 AM

use a join on the common field

mysearchA | table field1 field2
| JOIN field1 [ mysearchB | table field1 field3]
| table field1 field2 field3

see http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join

Reply

Ayn
Legend
‎10-19-2012 04:24 AM

How is this different from the other question you had regarding adding an avg(duration) value to your search?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...