https://community.splunk.com/t5/Splunk-Search/Matching-dissimilar-field-titles-with-a-Subsearch/m-p/374706#M110129 <P>Try like this</P> <PRE><CODE> index=_audit action="search" search="*" NOT user="splunk-system-user" savedsearch_name="" NOT search="\'|history*" NOT search="\'typeahead*" user!=NULL user!=admin search_id!="\'subsearch*" |bucket _time span=day |stats count by user | sort 10 -count | join user type=left [ |rest /servicesNS/-/-/authentication/users splunk_server=local|search NOT title=admin|table title,realname,type,email | rename title as user] </CODE></PRE> Thu, 29 Jun 2017 19:18:29 GMT somesoni2 2017-06-29T19:18:29Z https://community.splunk.com/t5/Splunk-Search/Matching-dissimilar-field-titles-with-a-Subsearch/m-p/374702#M110125 <P>Background is that I'm trying to pull in LDAP full names in from one search, and match that to UID from another search.</P> <P>My LDAP full name query is:</P> <PRE><CODE>|rest /servicesNS/-/-/authentication/users splunk_server=local|search NOT title=admin|fields title,realname,type,email </CODE></PRE> <P>The "matching" field here is "title", and the value I want is "realname"</P> <P>My other search grabs the top 10 search users for the past 7 days:</P> <PRE><CODE>index=_audit action="search" search="*" NOT user="splunk-system-user" savedsearch_name="" NOT search="\'|history*" NOT search="\'typeahead*" user!=NULL user!=admin search_id!="\'subsearch*" |bucket _time span=day |stats count by user | table user count|head 10 | sort -count </CODE></PRE> <P>The field that returns from this is "user". So what I need is to take the value of "user", match it to previous search's "title", and spit out "realname" so I can sub that in for "user"</P> <P>I can't find any good information on my exact scenario</P> Thu, 29 Jun 2017 18:40:40 GMT https://community.splunk.com/t5/Splunk-Search/Matching-dissimilar-field-titles-with-a-Subsearch/m-p/374702#M110125 sheltomt 2017-06-29T18:40:40Z https://community.splunk.com/t5/Splunk-Search/Matching-dissimilar-field-titles-with-a-Subsearch/m-p/374703#M110126 <P>Like this:</P> <PRE><CODE>index=_audit action="search" search="*" NOT user="splunk-system-user" savedsearch_name="" NOT search="\'|history*" NOT search="\'typeahead*" user!=NULL user!=admin search_id!="\'subsearch*" |bucket _time span=day |stats count by user | table user count |head 10 | sort -count | appendpipe [|rest /servicesNS/-/-/authentication/users splunk_server=local |search NOT title=admin|fields title realname type email | rename title AS user | eval DROPME="true"] | evenstats values(realname) AS realname BY user | where isnotnull(DROPME) </CODE></PRE> Thu, 29 Jun 2017 18:54:33 GMT https://community.splunk.com/t5/Splunk-Search/Matching-dissimilar-field-titles-with-a-Subsearch/m-p/374703#M110126 woodcock 2017-06-29T18:54:33Z https://community.splunk.com/t5/Splunk-Search/Matching-dissimilar-field-titles-with-a-Subsearch/m-p/374704#M110127 <P>So looking over your solution, I see where I was going wrong on the subsearch.</P> <P>However, your solution appears to only return values of the subsearch. There is no count from the outer search</P> <P>I'm trying to get an output of strictly realname and then a count field for how many searches they've done</P> Thu, 29 Jun 2017 19:06:42 GMT https://community.splunk.com/t5/Splunk-Search/Matching-dissimilar-field-titles-with-a-Subsearch/m-p/374704#M110127 sheltomt 2017-06-29T19:06:42Z https://community.splunk.com/t5/Splunk-Search/Matching-dissimilar-field-titles-with-a-Subsearch/m-p/374705#M110128 <P>I only see <CODE>subsearch</CODE> in your subject line. Which is the search and which is the subsearch? Show the combined search and maybe that will help.</P> Thu, 29 Jun 2017 19:16:53 GMT https://community.splunk.com/t5/Splunk-Search/Matching-dissimilar-field-titles-with-a-Subsearch/m-p/374705#M110128 woodcock 2017-06-29T19:16:53Z https://community.splunk.com/t5/Splunk-Search/Matching-dissimilar-field-titles-with-a-Subsearch/m-p/374706#M110129 <P>Try like this</P> <PRE><CODE> index=_audit action="search" search="*" NOT user="splunk-system-user" savedsearch_name="" NOT search="\'|history*" NOT search="\'typeahead*" user!=NULL user!=admin search_id!="\'subsearch*" |bucket _time span=day |stats count by user | sort 10 -count | join user type=left [ |rest /servicesNS/-/-/authentication/users splunk_server=local|search NOT title=admin|table title,realname,type,email | rename title as user] </CODE></PRE> Thu, 29 Jun 2017 19:18:29 GMT https://community.splunk.com/t5/Splunk-Search/Matching-dissimilar-field-titles-with-a-Subsearch/m-p/374706#M110129 somesoni2 2017-06-29T19:18:29Z https://community.splunk.com/t5/Splunk-Search/Matching-dissimilar-field-titles-with-a-Subsearch/m-p/374707#M110130 <P>Ahh, got yours to work much better with last line being "where isnull(DROPME)"</P> Thu, 29 Jun 2017 19:27:28 GMT https://community.splunk.com/t5/Splunk-Search/Matching-dissimilar-field-titles-with-a-Subsearch/m-p/374707#M110130 sheltomt 2017-06-29T19:27:28Z https://community.splunk.com/t5/Splunk-Search/Matching-dissimilar-field-titles-with-a-Subsearch/m-p/374708#M110131 <P>I have no idea which of you to award solution to. They both work well, and I'll use them in future solutions. I'll give you both points.</P> Thu, 29 Jun 2017 19:29:04 GMT https://community.splunk.com/t5/Splunk-Search/Matching-dissimilar-field-titles-with-a-Subsearch/m-p/374708#M110131 sheltomt 2017-06-29T19:29:04Z https://community.splunk.com/t5/Splunk-Search/Matching-dissimilar-field-titles-with-a-Subsearch/m-p/374709#M110132 <P>So I was dropping the wrong set.</P> Thu, 29 Jun 2017 19:31:06 GMT https://community.splunk.com/t5/Splunk-Search/Matching-dissimilar-field-titles-with-a-Subsearch/m-p/374709#M110132 woodcock 2017-06-29T19:31:06Z