Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search using join command

appleman
Contributor
‎12-06-2013 04:16 AM

Hello,

I want to combine two different searches and each different field by using join command.
However, I always get "No Results" whatever I tried.
Please give me some advice.

Thank you.

joinコマンドを利用して二つのサーチを繋げ、それぞれにある違うフィールドを掛け合わせたいのですが、上手くいきません。
それぞれのデータ量が重いため、collect indexでインデックスを作成しながらやっても駄目でした。
joinコマンドの正しい使い方をご教授下さい。

index=A sourcetype=logs source!=XXX.csv id=1234 name=* | stats count by id number | join [search index=tarot | table number name main_type2] | stats count by id name main_type2 number | sort - count | head 20

common field => number

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

melonman
Motivator
‎12-10-2013 08:17 PM

if you are trying to have a reference from other source, try lookup.
create temporary lookup file by

... yoursearch | table fielda fieldb fieldc | outputlookup your_lookup.csv

then, do a search with the lookup command to lookup fields you need to put together.
* if your lookup file gets very big, then you can use lookup in DB using DB Connect.

View solution in original post

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...