1 database — columns a, b c, 2 database - columns d , e, f.
I want a splunk query where the data from column a from db1 to join data with column d in db2 and display the results in table format
Splunk doesn't have "databases" or "columns". They're called "indexes" and "fields", respectively.
To query data in Splunk, use the search command, which is implied before the first |. Then use the table command to display the results in a table.
index = db1 | table a b c
You can combine tables with the join command much like in SQL, however, it is not very performant.
index = db1
| join type=left left=L right=R where L.a = R.d
[ search index = db2 ]
A method that performs better is two search both indexes at the same time and use the stats commands to group the results on a shared field.
(index = db1 OR index = db2)
``` Create a common field for grouping results ```
| eval a=coalesce(a, d)
| stats values(*) as * by a
The coalesce function selects first of its arguments that is not null. It ensures each result will have a field called a for grouping.