Splunk Search

Splunk search string (without using JOIN)

Nicholas_Key
Splunk Employee
Splunk Employee

How does the 'optimized' splunk search string (without using JOIN) looks like for the following search string?

SELECT column_name(s)
FROM table_name1
INNER JOIN table_name2
ON table_name1.column_name=table_name2.column_name
Tags (1)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee
sourcetype=table_name1 [ search sourcetype=table_name2 | return 10000 column_name ] | fields column_name(s)

which works very well if there are fewer than 10000 distinct column_name values in table_name2, or generally when table_name2 is quite a bit smaller than table_name1.

Depending on the sizes of table_name1, table_name1, and the resulting join, there may be better optimizations, but the above is rather common.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee
sourcetype=table_name1 [ search sourcetype=table_name2 | return 10000 column_name ] | fields column_name(s)

which works very well if there are fewer than 10000 distinct column_name values in table_name2, or generally when table_name2 is quite a bit smaller than table_name1.

Depending on the sizes of table_name1, table_name1, and the resulting join, there may be better optimizations, but the above is rather common.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...