Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Left outer join in splunk

asarolkar
Builder
‎04-04-2012 04:21 PM

I have a sourcetype A - which has a field by the name of MOD_SN
I have another index B ( I can only use the name of the index and not the name of the sourcetype for the second table) which has a field by the name of MOD_SN as well.

I am trying to do a left outer join on MOD_SN - the Great Goal is to be able to get every MOD_SN in sourcetype A which does NOT match a MOD_SN in B

sourcetype = "A" MOD_SN=* | dedup MOD_SN | fields MOD_SN | 
join type=outer MOD_SN [search index="B" | where isnull(MOD_SN) | fields MOD_SN ] | table MOD_SN

Does this look ok ????

I am trying to recreate what can be done in sql in splunk and I actually tried doing a subsearch but that was not beneficial

Tags (3)
0 Karma
Reply

asarolkar
Builder
‎04-04-2012 10:21 PM

This search did not work at all :

sourcetype=A MOD_SN=* NOT [ search index=B MOD_SN=* | return 10000 MOD_SN ] | dedup MOD_SN | table MOD_SN

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎04-04-2012 07:27 PM

Splunk isn't a relational database, so while it's possible to do a left outer join, it's not a good way to implement it using the join command. The most efficient way in Splunk to get the results you want is probably:

sourcetype=A MOD_SN=* NOT [ search index=B MOD_SN=* | return 10000 MOD_SN ] | dedup MOD_SN | table MOD_SN

which will work as long as there are no more than 10000 distinct MOD_SN values in B. Unfortunately, this is simply not a terribly easy result to compute. Another way that would work (and again, be more efficient than the join command) is:

sourcetype=A OR index=B MOD_SN=* 
| eval s=case(index=="B","b",sourcetype=="A","a",null())
| chart count by MOD_SN,s
| where a > 0 AND b==0

There are other possible queries, but selecting which one is best depends on the approximate expected sizes of A and B and the number of distinct values of MOD_SN in each, much in the way that a SQL database may generate table statistics to help the optimizer choose a query plan.

0 Karma
Reply

asarolkar
Builder
‎04-04-2012 09:48 PM

What are lowercase a and lowercase b ?

I dont get this segment

| eval s=case(index=="B","b",sourcetype=="A","a",null())
| chart count by MOD_SN,s
| where a > 0 AND b==0

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...