Solved: Re: Joining two searches

soumidutta · ‎10-27-2018

Hi ,

I want to join two searches without using Join command ?
I don't want to use join command for optimization issue.
Index name is same for both the searches but i was using different aggregate functions with the search .

iamarkaprabha · ‎10-27-2018

Hi ,

You can use the same search for these optimization issue.
I prefer to write it like this.

index=indexname 
| stats dc(yourfield) count(eval(anotherfield=fieldvalue)) by other field names

View solution in original post

iamarkaprabha · ‎10-27-2018

Hi ,

You can use the same search for these optimization issue.
I prefer to write it like this.

index=indexname 
| stats dc(yourfield) count(eval(anotherfield=fieldvalue)) by other field names

soumidutta · ‎10-27-2018

Thanks, I was looking for this one

iamarkaprabha · ‎10-27-2018

Hi ,

If i am able to answer your query , Can you please mark this answer as accepted ?

renjith_nair · ‎10-27-2018

@soumidutta,

Would it be possible to provide more details ? Do you have a common field in both searches? Or how do you want to join them? How are the events look like and what's your expected output?

---
What goes around comes around. If it helps, hit it with Karma 🙂

Joining two searches

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?