https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-searches-without-losing-main-search-data/m-p/611041#M212474 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248907">@jeremyrenard</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the Contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sat, 27 Aug 2022 08:45:23 GMT gcusello 2022-08-27T08:45:23Z https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-searches-without-losing-main-search-data/m-p/610932#M212456 <P>Hi,</P> <P>I am having some troubles to merge two searches and I am looking for the best way to do this.&nbsp;<BR />We have firewall traffic with NAT that is made on two levels. My goal is to be able to identify the flow with original and nated ip addresses. I explain :</P> <P>FW1 : src1,dst1,xlatesrc1,xlatedst1</P> <P>FW2 : src2 (=xlatescr1), dst2 (=xlatedst1), xlatedst2</P> <P>goal = table : src1,dst1,xlatesrc1,xlatedst1 (=xlatedst2 if it exists, xlatedst1 instead)<BR /><BR />I have made something like:</P> <LI-CODE lang="markup">search_FW1 | stats by src1,dst1,xlatesrc1,xlatedst1 | join left=[ search search_FW2 | stats values(xlatedst2) as xlatedst1 by src2] | rename src2 as xlatesrc1 | table src1,dst1,xlatesrc1,xlatedst1</LI-CODE> <P>But I have noticed that if src2 does not exist in search_FW1, I loose the event from my main search (search_FW1) :(. I thought that the "left" parameter of "join" should solve the issue, but it does not...&nbsp;</P> <P>Any idea how to avoid it (and maybe optimize my search as I have seen that "join" has poor performance)?<BR />Thanks</P> Fri, 26 Aug 2022 11:01:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-searches-without-losing-main-search-data/m-p/610932#M212456 jeremyrenard 2022-08-26T11:01:27Z https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-searches-without-losing-main-search-data/m-p/610933#M212457 Did this <A href="https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-join-and-the/m-p/391288/thread-id/113948" target="_blank">https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-join-and-the/m-p/391288/thread-id/113948</A> helps you to format correctly your SPL?<BR />r. Ismo Fri, 26 Aug 2022 10:04:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-searches-without-losing-main-search-data/m-p/610933#M212457 isoutamo 2022-08-26T10:04:48Z https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-searches-without-losing-main-search-data/m-p/610943#M212461 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248907">@jeremyrenard</a>,</P><P>you should try to use the eval-coalesce command and use stats instead join that's very slow, something like this:</P><P>At first you have to identify (from your shared search isn't possible) the joining key (present in both the searches) and use it in the stats command, if they are xlatesrc1 and xlatedst1, you could try:</P><LI-CODE lang="markup">&lt;search_FW1&gt; OR &lt;search_FW2&gt; | eval xlatesrc1=coalesce(xlatesrc1,src2), xlatedst1=coalesce(xlatedst1, dst2) | stats values(src1) AS src1 values(dst1) AS dst1 BY xlatesrc1 xlatedst1</LI-CODE><P>&nbsp;Ciao.</P><P>Giuseppe</P> Fri, 26 Aug 2022 11:13:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-searches-without-losing-main-search-data/m-p/610943#M212461 gcusello 2022-08-26T11:13:05Z https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-searches-without-losing-main-search-data/m-p/610959#M212464 <P>Hello, thank you for your replies. I am working on it. I will let you know as soon as I have achieved what I att</P><P>empt to do <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 26 Aug 2022 13:59:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-searches-without-losing-main-search-data/m-p/610959#M212464 jeremyrenard 2022-08-26T13:59:48Z https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-searches-without-losing-main-search-data/m-p/610966#M212466 <P>I have got it working (needed to add extra search to remove dupplicated "xlatesrc" values but work as a charm).</P><P>Thank you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P> Fri, 26 Aug 2022 14:47:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-searches-without-losing-main-search-data/m-p/610966#M212466 jeremyrenard 2022-08-26T14:47:38Z https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-searches-without-losing-main-search-data/m-p/611041#M212474 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248907">@jeremyrenard</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the Contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sat, 27 Aug 2022 08:45:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-searches-without-losing-main-search-data/m-p/611041#M212474 gcusello 2022-08-27T08:45:23Z