I am using Splunk Enterprise. Here are 2 sourcetype A and B and they share a same fileld UserName. The search time range of A is changeable according to the time picker while the time range of B is -30d@d.
B has less UserName than A (B is a subset of A) and what I want is to use B's UserName and combined with A, then return A's other fields.
Since both sourcetype A and B are huge. I tried to save source B search with -30d@d in the lookup to make the subsearch quicker. But this search is still about 250-300MB which exceeds the limit which is 200MB. It takes Splunk running forever.
The search is like this:
index=whatever sourcetype=A
|join UserName [inputlookup B-lookup]
|table UserName, "B's fields", "A's fields"
I tried to use stats but did not find a way to do the combination.
Is there anyone that could help with doing the combination without using join ? Thanks.
... View more