Reputation: 99
query splunk query joining 2 data tables
1 database — columns a, b c, 2 database - columns d , e, f.
I want a splunk query where the data from column a from db1 to join data with column d in db2 and display the results in table format
Upvotes: 0
Views: 35
Answers (1)
Reputation: 9926
Splunk doesn't have "databases" or "columns". They're called "indexes" and "fields", respectively.
To query data in Splunk, use the search command, which is implied before the first |. Then use the table command to display the results in a table.
index = db1 | table a b c
You can combine tables with the join command much like in SQL, however, it is not very performant.
index = db1
| join type=left left=L right=R where L.a = R.d
[ search index = db2 ]
A method that performs better is two search both indexes at the same time and use the stats commands to group the results on a shared field.
(index = db1 OR index = db2)
``` Create a common field for grouping results ```
| eval a=coalesce(a, d)
| stats values(*) as * by a
The coalesce function selects first of its arguments that is not null. It ensures each result will have a field called a for grouping.
Upvotes: 1
Related Questions
- How to separate out basic search of splunk in two different columns?
- Extract data from splunk
- how to write splunk query to create a table view
- Display result count of multiple search query in Splunk table
- Splunk dbxquery merge with splunk search
- Splunk query for simple bar chart dashboard
- How to write Splunk query to get first and last request time for each sources along with each source counts in a table output
- How to get data from _raw in Splunk
- How to filter data of one splunk search from another splunk search
- Table from logs in Splunk