https://community.splunk.com/t5/Splunk-Search/problem-with-join/m-p/682078#M233048 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266331">@Mahmoud</a>,</P><P>Don't use join: Splunk isn't a relational Database, it's a search engine, use stats BY the common key, something like this:</P><LI-CODE lang="markup">index="main" sourcetype="WinEventLog:Sysmon" lsass SourceImage="C:\\Windows\\system32\\rundll32.exe" EventCode IN (10,1) | eval ProcessId=coalesce(SourceProcessId,ProcessId) | stats values(TargetImage) AS TargetImage values(commandLine) AS commandLine BY ProcessId</LI-CODE><P>if you want to add an additional condition, e.g. only the ProcessId present in both the EventCodes, you can ann an additional final constrain.</P><LI-CODE lang="markup">index="main" sourcetype="WinEventLog:Sysmon" lsass SourceImage="C:\\Windows\\system32\\rundll32.exe" EventCode IN (10,1) | eval ProcessId=coalesce(SourceProcessId,ProcessId) | stats values(TargetImage) AS TargetImage values(commandLine) AS commandLine dc(EventCode) AS EventCode_count BY ProcessId | where EventCode_count=2 | fields - EventCode_count</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 27 Mar 2024 07:54:52 GMT gcusello 2024-03-27T07:54:52Z https://community.splunk.com/t5/Splunk-Search/problem-with-join/m-p/682077#M233047 <P>this is the query, so i'm still a baby in this world (so I'm sorry if there is a dummy mistakes that might drive you crazy when you read this query). However, I'm trying to Join the Source Process Id (from event code 10) with the Process Id ( from event code 1) and then print the command line, I tried to use `type=inner` but it gave me nothing which is wired, because when I look for the first query there is result and the same for the inner query.&nbsp;&nbsp;<BR /><BR /><BR /></P><P>&nbsp;</P><LI-CODE lang="markup">index="main" sourcetype="WinEventLog:Sysmon" EventCode=10 lsass SourceImage="C:\\Windows\\system32\\rundll32.exe" | join left=L right=R type=left where L.SourceProcessId=R.ProcessId [search EventCode=1 lsass "C:\\Windows\\system32\\rundll32.exe"] | table L.TargetImage, R.ProcessId, R.commandLine</LI-CODE><P>&nbsp;</P><P><BR /><BR /><BR /></P> Wed, 27 Mar 2024 07:38:04 GMT https://community.splunk.com/t5/Splunk-Search/problem-with-join/m-p/682077#M233047 Mahmoud 2024-03-27T07:38:04Z https://community.splunk.com/t5/Splunk-Search/problem-with-join/m-p/682078#M233048 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266331">@Mahmoud</a>,</P><P>Don't use join: Splunk isn't a relational Database, it's a search engine, use stats BY the common key, something like this:</P><LI-CODE lang="markup">index="main" sourcetype="WinEventLog:Sysmon" lsass SourceImage="C:\\Windows\\system32\\rundll32.exe" EventCode IN (10,1) | eval ProcessId=coalesce(SourceProcessId,ProcessId) | stats values(TargetImage) AS TargetImage values(commandLine) AS commandLine BY ProcessId</LI-CODE><P>if you want to add an additional condition, e.g. only the ProcessId present in both the EventCodes, you can ann an additional final constrain.</P><LI-CODE lang="markup">index="main" sourcetype="WinEventLog:Sysmon" lsass SourceImage="C:\\Windows\\system32\\rundll32.exe" EventCode IN (10,1) | eval ProcessId=coalesce(SourceProcessId,ProcessId) | stats values(TargetImage) AS TargetImage values(commandLine) AS commandLine dc(EventCode) AS EventCode_count BY ProcessId | where EventCode_count=2 | fields - EventCode_count</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 27 Mar 2024 07:54:52 GMT https://community.splunk.com/t5/Splunk-Search/problem-with-join/m-p/682078#M233048 gcusello 2024-03-27T07:54:52Z