My driver file has one row per key. The subsearch file can contain multiple rows for each key. I need my result set rows to contain the driver file data and the subsearch data. Currently, I am getting only one row per driver file key. I need for those to be able to be more (one input row to be able to produce a row for each subsearch hit). I cannot swap around the driver for the subsearch.
I don't know if the subsearch is stopping looking after the first hit, or the output processing is dropping all but the first match. (I hope it is the latter.)
Example (Simplified -- I could have 300+ matching rows from the subsearch):
Driver file: Subsearch file:
key fielda fieldb key fieldc fieldd
Key-1 A1 B1 Key-1 C1 D1
Key-1 C2 D2
Key-2 A2 B2 Key-2 C3 D3
Result is:
key fielda fieldb fieldc fieldd
Key-1 A1 B1 C1 D1
Key-2 A2 B2 C3 D3
Result should be:
key fielda fieldb fieldc fieldd
Key-1 A1 B1 C1 D1
Key-1 A1 B1 C2 D2
Key-2 A2 B2 C3 D3
The JOIN is very basic.
{btw, outer JOINS do not exist in SPLUNK -- they are left joins per the documentation and my experience -- a real headache}:
| join A_Issue_Key type=left
[ | inputlookup Reference_Table.csv
| fields A_Issue_Type, A_Issue_Key, B_Test_Count, B_Test, B_Test_Execution]
| eval Total_TC=6, Deferred=2, Passed=2, Failed=2 ]
thanks!
http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Join
... View more