Main search lists all events from sourcetype=A, there is a field CID.
The second search list all events from sourcetype=B, where secondsearchCID=mainsearchCID.
Finally, I would like to list all those events together.
In SQL it is something like table1 LEFT JOIN table 2 on table1.CID=table2.CID
I tried with Splunk join command, but it is just adding fields from second search events to events in main search.
I would like to add the whole events from second search, that meet condition with CID described above.
I also tried using transaction CID, but in this case i loose some events from sourcetype A that doesn't have CID field (so it is not like LEFT JOIN).
How to do that then?
Regards,
Wojtek
... View more