Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to join search results without using join command?

usersplunktest
New Member
‎12-02-2016 03:03 AM

I have this situation:

Table1
Id
Field1
Field2
Field3

Table2
Id
FieldA
FieldB

I need this result:

Id
Field1
Field2
Field3
FieldA
FieldB

Ok... that's easy, right?
But I can't use "join" clause and subsearch.

I've tried transaction and others options, but the result is wrong.

Can somebody help me?

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎12-02-2016 09:37 AM

As I think on this, you may not even need append. You might be able to get by with just using OR between the two things you are searching for. Like...

source=Table1 OR source=Table2

And, if you want it sorted like in your example,

source=Table1 OR source=Table2 | sort Id

Splunk normally puts AND between terms, using OR just ... well, makes it OR.

Happy Splunking!
-Rich

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎12-02-2016 04:34 AM

That's append that you want. It just takes one set of results and adds another set of results to it, like pasting new rows at the end of a spreadsheet or something.

search that returns the Field1-4 rows | append [search search that returns the FieldA-C rows ]

There's lot of good examples in the docs I linked above. I suggest reviewing those closely to learn how it handles certain things.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...