Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Equivalent of SQL WHERE IN Subquery clause?

ixixix_spl
Explorer
‎07-17-2018 12:02 PM

Hello,

I am looking for the equivalent of performing SQL like such:

SELECT transaction_id, vendor
FROM orders
WHERE transaction_id IN (SELECT transaction_id FROM events).

I am aware this a way to do this through a lookup, but I don't think it would be a good use case in this situation because there are constantly new transaction_id's generated and several thousand of them within a small timeframe, as well as my goal to create a timechart report.

As of right now I can construct a list of transaction_ids for orders in one search query and a list of transaction_ids for events in another search query, but my ultimate goal is to return order logs that have transaction_ids shared with the transaction_ids of the events log. Any help is greatly appreciated, thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kiamco
Path Finder
‎07-19-2018 10:32 AM

@ixixix_spl so I assuming that transaction_id is unique

 first query
| table transcation_id
| join type=left transcation_id [|search second query
                                     |table orders]

something like that but it gets a bit complicated depending on the fields you want to join but try it out see if it works

View solution in original post

Reply
Solved! Jump to solution
Solution

kiamco
Path Finder
‎07-19-2018 10:32 AM

@ixixix_spl so I assuming that transaction_id is unique

 first query
| table transcation_id
| join type=left transcation_id [|search second query
                                     |table orders]

something like that but it gets a bit complicated depending on the fields you want to join but try it out see if it works

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-17-2018 06:46 PM

You may want to have a look at the "Splunk SPL for SQL Users" manual (http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/SQLtoSplunk).

See if this gets you started.

index=orders vendor=* [ search index=events transaction_id=* | fields transaction_id | format ]
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

kiamco
Path Finder
‎07-17-2018 03:22 PM

have you considered a join instead of a subquery it might be easier

0 Karma
Reply
Solved! Jump to solution

ixixix_spl
Explorer
‎07-18-2018 04:57 PM

@kiamco can you give an example of how you would join two searches by a single field?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...