- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: need help with joining two queries
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
need help with joining two queries
Hi ninjas,
i have two queries with ] the output as follows
query1 output fields:
SOR filename expected_time
1ci extract 12:30:00 10-5-2019
query2 output fields:
SOR ** filename** real_time
1art congig 01:30:00 10-5-2019
The second query values are subset of first query.
Now i want to print the values of SOR , filename and expected_time when there is no real_time value in the second query.
can you please help here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I cannot help unless you show us the 2 searches (the SPL).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi pench2k19,
best option is to forget about join completely for reasons.
Just use a plain stats instead:
query1 OR query2 | stats values(*) AS * by SOR
this works best, and you will not hit any hidden limits 😉
Learn more over here https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MuS
Thanks for the response.
It's not working unfortunately.
Let me tell the clear requirement here... I need the SOR, Filename, expected_time values when there is no arrival time. Can you please suggest me the alternative way
Unfortunately I m not able copy my query here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To give you more context, in the first query I have loopkup file as data source and in the second query I mean using real time logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MuS
Thanks for the reply.
Unfortunately your solution is not working in my case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm pretty sure it would if you could provide more context, and some sample events 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not clear on your query, if you need a lookup or join or transaction between the queries
Just a guess, Is this what you are expecting? The below should print fields irrespective of and if SOR is both the same, it will print the join
<query1>
| join type=left SOR [|<query2>]
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
