728x90
https://community.splunk.com/t5/Splunk-Search/Alternative-method-to-using-Join-command/m-p/532978
join은 느리고 결과값 개수가 제한되어 권장되지 않는다
---
다음 두가지는 결과가 동일하다
join 방식
index="log_pd_com" uri_path IN (/pd/install)
| stats dc(clientip) as inst_device by clientip
| join type=left clientip
[ search index="log_pd_com" uri_path IN (/pd/uninstall)
| stats dc(clientip) as uninst_device by clientip]
join 대신 stats 사용
index="log_pd_com" uri_path IN (/pd/install, /pd/uninstall)
| stats count by clientip, uri_path
| rex field=uri_path "^/[^/]+/(?<path_type>.*)$"
| eval inst_device = if(path_type="install", 1, NULL)
| eval uninst_device = if(path_type="uninstall", 1, NULL)
| stats values(inst_device) as inst_device values(uninst_device) as uninst_device by clientip
| where inst_device=1
---
https://conf.splunk.com/files/2020/slides/TRU1761C.pdf
728x90