I have this situation:
Table1
Id
Field1
Field2
Field3
Table2
Id
FieldA
FieldB
I need this result:
Id
Field1
Field2
Field3
FieldA
FieldB
Ok... that's easy, right?
But I can't use "join" clause and subsearch.
I've tried transaction and others options, but the result is wrong.
Can somebody help me?
As I think on this, you may not even need append. You might be able to get by with just using OR
between the two things you are searching for. Like...
source=Table1 OR source=Table2
And, if you want it sorted like in your example,
source=Table1 OR source=Table2 | sort Id
Splunk normally puts AND
between terms, using OR
just ... well, makes it OR.
Happy Splunking!
-Rich
That's append that you want. It just takes one set of results and adds another set of results to it, like pasting new rows at the end of a spreadsheet or something.
search that returns the Field1-4 rows | append [search search that returns the FieldA-C rows ]
There's lot of good examples in the docs I linked above. I suggest reviewing those closely to learn how it handles certain things.