Join is much more efficient. Is it possible to fillnull on a join so that I can collect the results for events for which there isn't an event to join?
sourcetype=1 | join host [ search sourcetype=2 | fields host,result ] | table host,result
↧
Channel:
Latest Questions on Splunk Answers
X
Are you the publisher?
Claim or
contact us
about this channel.
X
0
Channel Details:
- Title: Latest Questions on Splunk Answers
- Channel Number: 11982148
- Language: English
- Registered On: April 15, 2013, 2:15 am
- Number of Articles: 13053
- Latest Snapshot: October 4, 2015, 12:21 am
- RSS URL: http://splunk-base.splunk.com/answers/?type=rss
- Publisher: http://answers.splunk.com/answers/index.html
- Description: The latest questions
- Catalog: //questions509.rssing.com/catalog.php?indx=11982148
© 2025 //www.rssing.com