Splunk Search

How can I join three fields with a common ID field?

sravankaripe
Communicator

alt text

Hi,

i want to join all three fields with common id field. please help me with search query

| table id servicename errordetails

i have data like this
Ex:
In index = abc "error"
servicename id


abc 101
gfg 102
hhv 105

and In index = abc "errordetails"
id errordetails


103 error1
102 error5
104 errorabc
105 error4545

i want to join both by field "id". so i want data like this

id servicename errordetails

102 gfg error5
105 hhy error4545

Please help me with this

0 Karma
1 Solution

cmerriman
Super Champion

try something like this to avoid using join, as there are limits.

(index = abc "errordetails") OR (index = abc "error")
|stats values(servicename) as servicename values(errordetails) as errordetails by id
|where isnotnull(servicename) AND isnotnull(errordetails)

the where statement should ensure you're only grabbing ids that include both errordetails and servicename, without it, it's like an outer join.

View solution in original post

cmerriman
Super Champion

try something like this to avoid using join, as there are limits.

(index = abc "errordetails") OR (index = abc "error")
|stats values(servicename) as servicename values(errordetails) as errordetails by id
|where isnotnull(servicename) AND isnotnull(errordetails)

the where statement should ensure you're only grabbing ids that include both errordetails and servicename, without it, it's like an outer join.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...