Solved: Search join with filter

erick_costa · ‎08-07-2012

I want to do the SQL in Splunk:

SELECT TB1.*
FROM TB1
JOIN TB2
ON TB2.ID = TB1.ID
WHERE TB2.OPTION = "OPTION 1"

How do I do this?

rroberts · ‎08-07-2012

Check out this document!

http://www.innovato.com/splunk/SQLSplunk.html

You might find it helpful.

View solution in original post

rroberts · ‎08-07-2012

Check out this document!

http://www.innovato.com/splunk/SQLSplunk.html

You might find it helpful.

sideview · ‎08-07-2012

Although, in many cases the best thing to do is to not think of it as a join, break it down as a) a disjunction (sourcetype=A some terms) OR (sourcetype=B some other terms) b) a little eval to smooth things out in small ways, c) a stats command to pair everything up in the exact same way a join would. the best practice for advanced splunk developers is really to use lookups or stats or transaction, and only actually use the join command as a last resort.

rroberts · ‎08-07-2012

Even better!

sophy · ‎08-07-2012

or, here:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SQLtoSplunk

Search join with filter

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio