Splunk Search

Can Splunk join on multiple columns?

suhprano
Path Finder

How can you search Splunk to return a join on 2 columns

sourcetype=test1 [search=test2 |fields col1, col2]|fields col1, col2, col3

Basically, I want something like

SELECT * from test1 join test2 on test1.col1 =test2.col1 and test1.col2 = test2.col2
Tags (1)
1 Solution

hazekamp
Builder

You should be able to do this by specify multiple fields in Splunk's join command:

sourcetype=test1 | fields col1,col2 | join col1,col2 [search sourcetype=test2 | fields col1,col2,col3]

View solution in original post

marcoscala
Builder

How to achieve the same result, but when fields names are different? I have the problem to rebuild transactions from postfix/amavis logs, where the message is processed by a pipeline of different steps/processes and at a certain point, a new processing requests is queued in the pipeline. I have in an event the original "queue_id" and a new "queued_as" id, that in a next event will appear as a new "queue_id".

So I need to correlate events with a "queue_id" with events that have the same "queued_as" value.

Ideas?!?

0 Karma

the_wolverine
Champion

Try asking this as a new question so others can easier find and make use of it. In your case have you tried using coalesce for queue_id and queued_as fields?

0 Karma

jslealdi
Explorer

Try rename
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Rename
| rename original_field as "new_name"

0 Karma

hazekamp
Builder

You should be able to do this by specify multiple fields in Splunk's join command:

sourcetype=test1 | fields col1,col2 | join col1,col2 [search sourcetype=test2 | fields col1,col2,col3]

gkanapathy
Splunk Employee
Splunk Employee

It's unnecessary (and undesirable mostly) to use join if you can just use: `sourcetype=test1 [search=test2 | dedup col1 col2 | fields col1 col2]

This is basically your original search, but it should work just fine unless you've got more than a few thousand distinct col1,col2 value pairs.

0 Karma

suhprano
Path Finder

thanks! do you know if there's a limit to how many subsearches or joins splunk restricts?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...