Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

join two table

splunkpoornima
Communicator
‎10-19-2012 03:50 AM

hi all ,

after using the below search i got one table which has the transactional data as

source="aaa"|transaction TaskName startswith=START endswith=Succeeded|table TaskBP duration

TaskName duration

Task1 1.90

Task2 2.67

Task1 7.55

another table with Taskname and its average duration by using the below search

source="aaa"|transaction TaskName startswith=START endswith=Succeeded|stats avg(duration) by taskname |table taskname avg(duration)

i want to join these two searches so that my table will become as

Taskname duration avg(duration)

Task1 1.90 12.4

task2 2.67 5.9

Task1 7.55 12.4

i think of using the left outer join..plz help in writing the search

Tags (1)
0 Karma
Reply

shayhk
Explorer
‎12-17-2013 06:10 AM

hi,

I have the same problem

mysearchA | table field1 field2
| JOIN field1 [ mysearchB | table field1 field3]
| table field1 field2 field3

what is the mySearchA,mySearchB stands for ?
my data provider(file) is a host named XXX
when i am using a host=XXX in both of "mySearchA,B" expression i am getting an error

help needed
Thanks shay

Reply

yannK
Splunk Employee
Splunk Employee
‎12-17-2013 09:44 AM

You want that the searchA and searchB return a single line per field1, otherwise the join between the 2 lists will be wrong.

An example with a join between a list of users and the logins per server can be :
index=users username=* email=*
| stats values(email) AS email by username
| JOIN username
[
search index=servers login username=*
| stats values(host) AS server_login_list earliest(_time) AS recent_login earliest(host) AS recent_server by username
]
| table username email server_login_list recent_login recent_server

0 Karma
Reply

somesoni2
Revered Legend
‎12-17-2013 06:35 AM

try "source=XXX"

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-21-2012 08:21 AM

use a join on the common field

mysearchA | table field1 field2
| JOIN field1 [ mysearchB | table field1 field3]
| table field1 field2 field3

see http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join

Reply

Ayn
Legend
‎10-19-2012 04:24 AM

How is this different from the other question you had regarding adding an avg(duration) value to your search?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...