https://community.splunk.com/t5/Splunk-Search/Join-a-search-by-field-across-indexes/m-p/407241#M190929 <P>I have two different indexes, with the common field being username. </P> <P>One index that contains phishing history data. index="phish"<BR /> One index that contains a list of usernames. index="poorpass"</P> <P>I'd like to join both indexes, and match them by username. So I'll have a list of users that are in both indexes. </P> <PRE><CODE>index="phish" status="Clicked Link" | eval username=email | rex field=username mode=sed "s/@\S+//g" | join host [search index="poorpass" group="username"] | table username </CODE></PRE> <P>My search goes through with no errors, but no events are returned. </P> Thu, 25 Jul 2019 21:05:11 GMT aarichow 2019-07-25T21:05:11Z https://community.splunk.com/t5/Splunk-Search/Join-a-search-by-field-across-indexes/m-p/407241#M190929 <P>I have two different indexes, with the common field being username. </P> <P>One index that contains phishing history data. index="phish"<BR /> One index that contains a list of usernames. index="poorpass"</P> <P>I'd like to join both indexes, and match them by username. So I'll have a list of users that are in both indexes. </P> <PRE><CODE>index="phish" status="Clicked Link" | eval username=email | rex field=username mode=sed "s/@\S+//g" | join host [search index="poorpass" group="username"] | table username </CODE></PRE> <P>My search goes through with no errors, but no events are returned. </P> Thu, 25 Jul 2019 21:05:11 GMT https://community.splunk.com/t5/Splunk-Search/Join-a-search-by-field-across-indexes/m-p/407241#M190929 aarichow 2019-07-25T21:05:11Z https://community.splunk.com/t5/Splunk-Search/Join-a-search-by-field-across-indexes/m-p/407242#M190930 <P>To clarify, the reason I'm creating the field called username is because it's not an existing field in my index. There is a field in the index, phish, called email, which is the same as username in this case, so I just strip the email at the @ sign, giving me the username. </P> <P>I'm then trying to match this field to a existing field in the index poorpass.</P> Thu, 25 Jul 2019 21:07:55 GMT https://community.splunk.com/t5/Splunk-Search/Join-a-search-by-field-across-indexes/m-p/407242#M190930 aarichow 2019-07-25T21:07:55Z https://community.splunk.com/t5/Splunk-Search/Join-a-search-by-field-across-indexes/m-p/407243#M190931 <P>HI aarichow,</P> <P>give this a try:</P> <PRE><CODE>( index="phish" status="Clicked Link" ) OR ( index="poorpass" group="username" ) | rex field=email mode=sed "s/@\S+//g" | eval username=case(isnotnull(email), email, isnotnull(username), username, 1=1, "unknown") | stats values(*) AS * by username, _time </CODE></PRE> <P>The <CODE>eval</CODE> will use either email, username, or if neither is available fill the value as <CODE>unknown</CODE> </P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Thu, 25 Jul 2019 22:15:35 GMT https://community.splunk.com/t5/Splunk-Search/Join-a-search-by-field-across-indexes/m-p/407243#M190931 MuS 2019-07-25T22:15:35Z https://community.splunk.com/t5/Splunk-Search/Join-a-search-by-field-across-indexes/m-p/407244#M190932 <P>I ran the search, this just returns all the users that have the status="clicked link", it doesn't match it to the field in poorpass. </P> Fri, 26 Jul 2019 13:35:25 GMT https://community.splunk.com/t5/Splunk-Search/Join-a-search-by-field-across-indexes/m-p/407244#M190932 aarichow 2019-07-26T13:35:25Z https://community.splunk.com/t5/Splunk-Search/Join-a-search-by-field-across-indexes/m-p/407245#M190933 <P>Can you please provide at least two anonymised events for each criteria? Thanks</P> <P>cheers, MuS</P> Mon, 29 Jul 2019 02:02:13 GMT https://community.splunk.com/t5/Splunk-Search/Join-a-search-by-field-across-indexes/m-p/407245#M190933 MuS 2019-07-29T02:02:13Z https://community.splunk.com/t5/Splunk-Search/Join-a-search-by-field-across-indexes/m-p/407246#M190934 <P>Like this:</P> <PRE><CODE>(index="phish" status="Clicked Link") OR (index="poorpass" group="username") | eval username=if(index="phish", email, null()) | rex field=username mode=sed "s/@\S+//g" | stats values(*) AS * BY host </CODE></PRE> Mon, 29 Jul 2019 06:19:27 GMT https://community.splunk.com/t5/Splunk-Search/Join-a-search-by-field-across-indexes/m-p/407246#M190934 woodcock 2019-07-29T06:19:27Z