https://community.splunk.com/t5/Splunk-Search/Can-anyone-suggest-how-I-can-create-a-join-query-using-pattern/m-p/499208#M139052 <P>This information should have been included in the question.<BR /> @to4kawa's answer should do the job.</P> Sat, 30 Nov 2019 12:50:47 GMT richgalloway 2019-11-30T12:50:47Z https://community.splunk.com/t5/Splunk-Search/Can-anyone-suggest-how-I-can-create-a-join-query-using-pattern/m-p/499204#M139048 <P>Eg<BR /> eg in fuse.log I have a entry like userId=abc<BR /> while in access.log i have entry like sessionid-12232 | abc | xyz<BR /> Output I want is like <BR /> abc | xyz | sessionid-12232<BR /> Can you please suggest how can i join these two using pattern</P> Fri, 29 Nov 2019 10:30:02 GMT https://community.splunk.com/t5/Splunk-Search/Can-anyone-suggest-how-I-can-create-a-join-query-using-pattern/m-p/499204#M139048 ayush8878 2019-11-29T10:30:02Z https://community.splunk.com/t5/Splunk-Search/Can-anyone-suggest-how-I-can-create-a-join-query-using-pattern/m-p/499205#M139049 <P>Assuming access.log has fields 'sessionid', 'userid', and 'foo' and they're already extracted then this should get you started.</P> <PRE><CODE>source=fuse.log OR source=access.log | stats values(*) as * by userid | table userid foo sessionid </CODE></PRE> Sat, 30 Nov 2019 04:27:19 GMT https://community.splunk.com/t5/Splunk-Search/Can-anyone-suggest-how-I-can-create-a-join-query-using-pattern/m-p/499205#M139049 richgalloway 2019-11-30T04:27:19Z https://community.splunk.com/t5/Splunk-Search/Can-anyone-suggest-how-I-can-create-a-join-query-using-pattern/m-p/499206#M139050 <P>hey, Thank you very much for the response but the scenario is little different<BR /> in fuse.log I have fields like <BR /> userId=abc | session=123 | time=12:00 IST<BR /> so splunk is able to concider then as 3 fields i.e. userId,session,time<BR /> while in access.log i only have values but not field name i.e <BR /> foo-abc-12:00 IST-data<BR /> What I need to achieve is get the userid from fuse.log and find that id in access.log and print userid |session | data</P> Sat, 30 Nov 2019 10:07:00 GMT https://community.splunk.com/t5/Splunk-Search/Can-anyone-suggest-how-I-can-create-a-join-query-using-pattern/m-p/499206#M139050 ayush8878 2019-11-30T10:07:00Z https://community.splunk.com/t5/Splunk-Search/Can-anyone-suggest-how-I-can-create-a-join-query-using-pattern/m-p/499207#M139051 <PRE><CODE>| makeresults | eval _raw="userId=abc,session=123,time=12:00_IST" | kv | eval time=replace(time,"_"," ") | append [| makeresults | eval _raw="foo-abc-12:00 IST-data" ] `comment("this is sample data")` | rex "(?&lt;user&gt;[^\-]+)-(?&lt;userId&gt;[^\-]+)-(?&lt;time&gt;[^\-]+)-(?&lt;data&gt;.+)" | stats values(*) as * by userId | eval session="sessionid-".session | table userId user session </CODE></PRE> <P>I uased @richgalloway 's query, thanks.</P> <PRE><CODE> source=fuse.log OR source=access.log | rex "(?&lt;user&gt;[^\-]+)-(?&lt;userId&gt;[^\-]+)-(?&lt;time&gt;[^\-]+)-(?&lt;data&gt;.+)" | stats values(*) as * by userid | eval session="sessionid-".session | table userid user sessionid </CODE></PRE> <P>How about this?</P> Sat, 30 Nov 2019 10:43:41 GMT https://community.splunk.com/t5/Splunk-Search/Can-anyone-suggest-how-I-can-create-a-join-query-using-pattern/m-p/499207#M139051 to4kawa 2019-11-30T10:43:41Z https://community.splunk.com/t5/Splunk-Search/Can-anyone-suggest-how-I-can-create-a-join-query-using-pattern/m-p/499208#M139052 <P>This information should have been included in the question.<BR /> @to4kawa's answer should do the job.</P> Sat, 30 Nov 2019 12:50:47 GMT https://community.splunk.com/t5/Splunk-Search/Can-anyone-suggest-how-I-can-create-a-join-query-using-pattern/m-p/499208#M139052 richgalloway 2019-11-30T12:50:47Z https://community.splunk.com/t5/Splunk-Search/Can-anyone-suggest-how-I-can-create-a-join-query-using-pattern/m-p/499209#M139053 <P>Thanks @richgalloway @to4kawa </P> Mon, 02 Dec 2019 16:58:44 GMT https://community.splunk.com/t5/Splunk-Search/Can-anyone-suggest-how-I-can-create-a-join-query-using-pattern/m-p/499209#M139053 ayush8878 2019-12-02T16:58:44Z