How can I join two table in Splunk using query like this?
select dialog.id, dialog.callId, dialogParty_dialog_id, attributeKey_id, attributeValue
from dialog, descriptionsattribute
where callid = 'AL_a8wKVUUuX2qY7DgmBIg..' and dialog.id = dialogParty_dialog_id;"
thank you and regards,
Akas
What do you mean by "table"? Splunk doesn't have tables. It does have join and similar operators though, but it's often not a 100% good idea to try to implement the exact same concepts to Splunk searches as with SQL searches. That said, this "Splunk for SQL users" guide should prove useful.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SQLtoSplunk
sorry, I have two sourcetypes, first is CALL-DIALOG which is point to dialog and second is CALL-DESCRIPTIONS which is point to descriptionsattribute.
I have run this command but no luck
sourcetype="CALL-DIALOG" callId="AL_a8wKVUUuX2qY7DgmBIg.." | fields id, callId | join id, dialogParty_dialog_id [search sourcetype="CALL-DESCRIPTIONS" | fields dialogParty_dialog_id, attributeKey_id, attributeValue]
thanks