Splunk Search

join two table

splunkpoornima
Communicator

hi all ,

after using the below search i got one table which has the transactional data as

source="aaa"|transaction TaskName startswith=START endswith=Succeeded|table TaskBP duration

TaskName duration

Task1 1.90

Task2 2.67

Task1 7.55

another table with Taskname and its average duration by using the below search

source="aaa"|transaction TaskName startswith=START endswith=Succeeded|stats avg(duration) by taskname |table taskname avg(duration)

i want to join these two searches so that my table will become as

Taskname duration avg(duration)

Task1 1.90 12.4

task2 2.67 5.9

Task1 7.55 12.4

i think of using the left outer join..plz help in writing the search

Tags (1)
0 Karma

shayhk
Explorer

hi,

I have the same problem

mysearchA | table field1 field2
| JOIN field1 [ mysearchB | table field1 field3]
| table field1 field2 field3

what is the mySearchA,mySearchB stands for ?
my data provider(file) is a host named XXX
when i am using a host=XXX in both of "mySearchA,B" expression i am getting an error

help needed
Thanks shay

yannK
Splunk Employee
Splunk Employee

You want that the searchA and searchB return a single line per field1, otherwise the join between the 2 lists will be wrong.

An example with a join between a list of users and the logins per server can be :
index=users username=* email=*
| stats values(email) AS email by username
| JOIN username
[
search index=servers login username=*
| stats values(host) AS server_login_list earliest(_time) AS recent_login earliest(host) AS recent_server by username
]
| table username email server_login_list recent_login recent_server

0 Karma

somesoni2
Revered Legend

try "source=XXX"

0 Karma

yannK
Splunk Employee
Splunk Employee

use a join on the common field

mysearchA | table field1 field2
| JOIN field1 [ mysearchB | table field1 field3]
| table field1 field2 field3

see http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join

Ayn
Legend

How is this different from the other question you had regarding adding an avg(duration) value to your search?

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...