https://community.splunk.com/t5/Splunk-Search/Anything-wrong-is-with-join-query/m-p/544293#M154182 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231969">@kyoung2580</a>,<BR />You don't need a join command, you can try this,</P><LI-CODE lang="markup">index=sysmon EventCode=3 OR EventCode=5156 | stats count(eval(EventCode=3)) as sysmon_count, count(eval(EventCode=5156)) as winevt_count by img_name | sort sysmon_count desc | table img_name, sysmon_count, winevt_count</LI-CODE><P>&nbsp;</P><P>If you still find some&nbsp;<SPAN>img_name</SPAN>&nbsp;values missing then they might not be there in your index OR you might need to increase the search time range depending on when the data is collected in Splunk and event timestamps.</P><LI-CODE lang="markup">index=sysmon EventCode=3 OR EventCode=5156 earliest=1 | stats count(eval(EventCode=3)) as sysmon_count, count(eval(EventCode=5156)) as winevt_count by img_name | sort sysmon_count desc | table img_name, sysmon_count, winevt_count</LI-CODE><P>&nbsp;</P><P>If this reply helps you, an upvote/like would be appreciated.</P> Thu, 18 Mar 2021 07:30:42 GMT manjunathmeti 2021-03-18T07:30:42Z https://community.splunk.com/t5/Splunk-Search/Anything-wrong-is-with-join-query/m-p/544289#M154181 <P>I have inserted the same data in splunk and mysql.</P><P>Splunk query:</P><P>&nbsp;</P><LI-CODE lang="markup">index=sysmon EventCode=3 | stats count as sysmon_count by img_name | sort sysmon_count desc | join type=inner img_name [ search index=winevent EventCode=5156 | stats count as winevt_count by img_name ] | table img_name, sysmon_count, winevt_count</LI-CODE><P>&nbsp;</P><P>Result:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%">img_name</TD><TD width="33.333333333333336%">sysmon_count</TD><TD width="33.333333333333336%">winevt_count</TD></TR><TR><TD width="33.333333333333336%">splunkd.exe</TD><TD width="33.333333333333336%">3697</TD><TD width="33.333333333333336%">3701</TD></TR><TR><TD width="33.333333333333336%">python3.exe</TD><TD width="33.333333333333336%">614</TD><TD width="33.333333333333336%">3071</TD></TR><TR><TD width="33.333333333333336%">streamfwd.exe</TD><TD width="33.333333333333336%">614</TD><TD width="33.333333333333336%">1228</TD></TR><TR><TD width="33.333333333333336%">chrome.exe</TD><TD width="33.333333333333336%">211</TD><TD width="33.333333333333336%">910</TD></TR><TR><TD width="33.333333333333336%">svchost.exe</TD><TD width="33.333333333333336%">36</TD><TD width="33.333333333333336%">97</TD></TR><TR><TD width="33.333333333333336%">System</TD><TD width="33.333333333333336%">22</TD><TD width="33.333333333333336%">34</TD></TR><TR><TD width="33.333333333333336%">taskhostw.exe</TD><TD width="33.333333333333336%">1</TD><TD width="33.333333333333336%">2</TD></TR><TR><TD width="33.333333333333336%">whale_update.exe</TD><TD width="33.333333333333336%">1</TD><TD width="33.333333333333336%">1</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Mysql query:</P><P>&nbsp;</P><LI-CODE lang="markup">select a.img_name, a.sysmon_count, b.winevt_count from ( select img_name, count(*) as sysmon_count from sysmon where eventcode = 3 group by img_name order by sysmon_count desc) a join ( select img_name, count(*) as winevt_count from winevent where eventcode=5156 group by img_name order by winevt_count desc) b on a.img_name = b.img_name</LI-CODE><P>&nbsp;</P><P>Result:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%">img_name</TD><TD width="33.333333333333336%">sysmon_count</TD><TD width="33.333333333333336%">winevt_count</TD></TR><TR><TD width="33.333333333333336%">splunkd.exe</TD><TD width="33.333333333333336%">3697</TD><TD width="33.333333333333336%">3701</TD></TR><TR><TD width="33.333333333333336%">python3.exe</TD><TD width="33.333333333333336%">614</TD><TD width="33.333333333333336%">3071</TD></TR><TR><TD width="33.333333333333336%">streamfwd.exe</TD><TD width="33.333333333333336%">614</TD><TD width="33.333333333333336%">1228</TD></TR><TR><TD width="33.333333333333336%">chrome.exe</TD><TD width="33.333333333333336%">211</TD><TD width="33.333333333333336%">910</TD></TR><TR><TD width="33.333333333333336%">svchost.exe</TD><TD width="33.333333333333336%">36</TD><TD width="33.333333333333336%">97</TD></TR><TR><TD width="33.333333333333336%">System</TD><TD width="33.333333333333336%">22</TD><TD width="33.333333333333336%">34</TD></TR><TR><TD width="33.333333333333336%">RuntimeBroker.exe</TD><TD width="33.333333333333336%">2</TD><TD width="33.333333333333336%">2</TD></TR><TR><TD width="33.333333333333336%">taskhostw.exe</TD><TD width="33.333333333333336%">1</TD><TD width="33.333333333333336%">2</TD></TR><TR><TD width="33.333333333333336%">backgroundTaskHost.exe</TD><TD width="33.333333333333336%">1</TD><TD width="33.333333333333336%">1</TD></TR><TR><TD>OfficeClickToRun.exe</TD><TD>1</TD><TD>1</TD></TR><TR><TD>POWERPNT.EXT</TD><TD>1</TD><TD>1</TD></TR><TR><TD>MsMpEng.exe</TD><TD>1</TD><TD>1</TD></TR><TR><TD>CEIP.exe</TD><TD>1</TD><TD>1</TD></TR><TR><TD>whale_update.exe</TD><TD>1</TD><TD>1</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Add:</P><P>I have found the cause of join problem. Mysql is case-insensitive but splunk is case-sensitive. It can get the same result as mysql when change the join field(img_name) to lowercase.&nbsp;</P><LI-CODE lang="markup">index=sysmon EventCode=3 | eval img_name = lower(img_name) | stats count as sysmon_count by img_name | sort sysmon_count desc | join type=inner img_name [ search index=winevent EventCode=5156 | eval img_name = lower(img_name) | stats count as winevt_count by img_name ]</LI-CODE><P>&nbsp;</P> Thu, 18 Mar 2021 15:06:23 GMT https://community.splunk.com/t5/Splunk-Search/Anything-wrong-is-with-join-query/m-p/544289#M154181 kyoung2580 2021-03-18T15:06:23Z https://community.splunk.com/t5/Splunk-Search/Anything-wrong-is-with-join-query/m-p/544293#M154182 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231969">@kyoung2580</a>,<BR />You don't need a join command, you can try this,</P><LI-CODE lang="markup">index=sysmon EventCode=3 OR EventCode=5156 | stats count(eval(EventCode=3)) as sysmon_count, count(eval(EventCode=5156)) as winevt_count by img_name | sort sysmon_count desc | table img_name, sysmon_count, winevt_count</LI-CODE><P>&nbsp;</P><P>If you still find some&nbsp;<SPAN>img_name</SPAN>&nbsp;values missing then they might not be there in your index OR you might need to increase the search time range depending on when the data is collected in Splunk and event timestamps.</P><LI-CODE lang="markup">index=sysmon EventCode=3 OR EventCode=5156 earliest=1 | stats count(eval(EventCode=3)) as sysmon_count, count(eval(EventCode=5156)) as winevt_count by img_name | sort sysmon_count desc | table img_name, sysmon_count, winevt_count</LI-CODE><P>&nbsp;</P><P>If this reply helps you, an upvote/like would be appreciated.</P> Thu, 18 Mar 2021 07:30:42 GMT https://community.splunk.com/t5/Splunk-Search/Anything-wrong-is-with-join-query/m-p/544293#M154182 manjunathmeti 2021-03-18T07:30:42Z https://community.splunk.com/t5/Splunk-Search/Anything-wrong-is-with-join-query/m-p/544307#M154183 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129090">@manjunathmeti</a> It works! This is very helpful. Thank you very much.:)</P> Thu, 18 Mar 2021 10:35:35 GMT https://community.splunk.com/t5/Splunk-Search/Anything-wrong-is-with-join-query/m-p/544307#M154183 kyoung2580 2021-03-18T10:35:35Z