https://community.splunk.com/t5/Splunk-Search/Correlating-data-between-two-searches/m-p/459583#M129700 <P>I have a query that goes into an index and filter a particular type of events of interest using stats and returns something like:</P> <P><CODE>search Event_Class = EVENT_TYPE_1</CODE></P> <P>The results get pipped into <CODE>| stats count as Stats1 dc as Stats2 avg(data) as Stats3 by Hostname . String_Field_One, Numeric_Field_One, Dest_IP</CODE></P> <P>This results into something like:</P> <P><CODE>Hostname String _Field_One Numeric_Field_One Dest_IP Stats1 Stats2 Stats3</CODE></P> <P>now the challenge. I would like to use Hostname, String_Field_One to <EM>"lookup"</EM> against data from a separate query, resulting in an additional field being added to the results of the original data.</P> <P><CODE>search Event_Class = EVENT_TYPE_1 HostName=&lt;value_from_hostname_would_go_here&gt; AND String_Field_One=&lt;value_from_String_Field_One_should_go_here&gt; AND Numeric_Field_One=&lt;value_from_numeric_field_one_would_go_here&gt; | head 1 | table String_Field_That_I_Want_To_Join</CODE></P> <P>Can Splunk do this?</P> Tue, 29 Sep 2020 20:38:33 GMT rhinomike 2020-09-29T20:38:33Z https://community.splunk.com/t5/Splunk-Search/Correlating-data-between-two-searches/m-p/459583#M129700 <P>I have a query that goes into an index and filter a particular type of events of interest using stats and returns something like:</P> <P><CODE>search Event_Class = EVENT_TYPE_1</CODE></P> <P>The results get pipped into <CODE>| stats count as Stats1 dc as Stats2 avg(data) as Stats3 by Hostname . String_Field_One, Numeric_Field_One, Dest_IP</CODE></P> <P>This results into something like:</P> <P><CODE>Hostname String _Field_One Numeric_Field_One Dest_IP Stats1 Stats2 Stats3</CODE></P> <P>now the challenge. I would like to use Hostname, String_Field_One to <EM>"lookup"</EM> against data from a separate query, resulting in an additional field being added to the results of the original data.</P> <P><CODE>search Event_Class = EVENT_TYPE_1 HostName=&lt;value_from_hostname_would_go_here&gt; AND String_Field_One=&lt;value_from_String_Field_One_should_go_here&gt; AND Numeric_Field_One=&lt;value_from_numeric_field_one_would_go_here&gt; | head 1 | table String_Field_That_I_Want_To_Join</CODE></P> <P>Can Splunk do this?</P> Tue, 29 Sep 2020 20:38:33 GMT https://community.splunk.com/t5/Splunk-Search/Correlating-data-between-two-searches/m-p/459583#M129700 rhinomike 2020-09-29T20:38:33Z https://community.splunk.com/t5/Splunk-Search/Correlating-data-between-two-searches/m-p/459584#M129701 <P>Perhaps sub search can help??</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchTutorial/Useasubsearch">http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchTutorial/Useasubsearch</A><BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.1.2/Search/Usesubsearchtocorrelateevents">https://docs.splunk.com/Documentation/Splunk/7.1.2/Search/Usesubsearchtocorrelateevents</A></P> Wed, 25 Jul 2018 09:57:54 GMT https://community.splunk.com/t5/Splunk-Search/Correlating-data-between-two-searches/m-p/459584#M129701 mwdbhyat 2018-07-25T09:57:54Z https://community.splunk.com/t5/Splunk-Search/Correlating-data-between-two-searches/m-p/459585#M129702 <P>I had a look on those, however subsearches seem to behave more like SQL's UNION or Sub-SELECT statements than a proper lookup. They are just not powerful enough (or incredibly poorly documented)...</P> Fri, 27 Jul 2018 01:07:49 GMT https://community.splunk.com/t5/Splunk-Search/Correlating-data-between-two-searches/m-p/459585#M129702 rhinomike 2018-07-27T01:07:49Z