Refine your search:

How can I join two table in Splunk using query like this?

select dialog.id, dialog.callId, dialogParty_dialog_id, attributeKey_id, attributeValue from dialog, descriptionsattribute where callid = 'AL_a8wKVUUuX2qY7DgmBIg..' and dialog.id = dialogParty_dialog_id;"

thank you and regards, Akas

asked 24 Feb '12, 02:15

orakanggo's gravatar image

orakanggo
1
accept rate: 0%


One Answer:

What do you mean by "table"? Splunk doesn't have tables. It does have join and similar operators though, but it's often not a 100% good idea to try to implement the exact same concepts to Splunk searches as with SQL searches. That said, this "Splunk for SQL users" guide should prove useful.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SQLtoSplunk

link

answered 24 Feb '12, 02:18

Ayn's gravatar image

Ayn ♦
36.2k3919
accept rate: 40%

sorry, I have two sourcetypes, first is CALL-DIALOG which is point to dialog and second is CALL-DESCRIPTIONS which is point to descriptionsattribute.

I have run this command but no luck

sourcetype="CALL-DIALOG" callId="AL_a8wKVUUuX2qY7DgmBIg.." | fields id, callId | join id, dialogParty_dialog_id [search sourcetype="CALL-DESCRIPTIONS" | fields dialogParty_dialog_id, attributeKey_id, attributeValue]

thanks

(24 Feb '12, 03:00) orakanggo
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×230
×1

Asked: 24 Feb '12, 02:15

Seen: 957 times

Last updated: 24 Feb '12, 03:01

Copyright © 2005-2014 Splunk Inc. All rights reserved.