![]() ![]() ![]() Without specifying a 'left' join type say if there was a customer value 4, you would not have got any returns from the sub search even if there was a customer with value 4 in the sub search. The join command is used to merge the results of a. If no fields are specified, all fields that are shared by both result sets will be used. Optionally specifies the exact fields to join on. If the field name that you specify does not match a field in the output, a new field is added to the search results. You start off the outer search with searching for Field1 and then use the subsearch for adding a search for Field2 if the subsearch. Description: The traditional join command joins the results from the main results pipeline with the search pipeline results provided as the last argument. The reason your query is working is because you have same values for customer in both searches. The eval command calculates an expression and puts the resulting value into a search results field. If I remove the 'typeouter', making it an inner join, I get the below results, so I know the join works for the inner: col1 col2 col3 123 abc xyz. You however need the inner / outer join in case you want common fields. It seems almost as if Splunk is going the outer join on the two columns independently, so I get more results than I need. So probably what you need is - index=primary | join type=left Customer max=0 | table Customer Spend The results of a left (or outer) join includes all of the events in the main search and only those values in the subsearch have matching field values.ĭescription: Specifies the maximum number of subsearch results that each main search result can join with. The results of an inner join do not include events from the main search that have no matches in the subsearch. In both inner and left joins, events that match are joined. The difference between an inner and a left (or outer) join is how the events are treated in the main search that do not match any of the events in the subsearch. Hi - Firstly if you do not specifically specify the join type its takes default as inner - from splunk join documentation 'Syntax: type=inner | outer | leftĭescription: Indicates the type of join to perform.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |