topic Re: Why is a join on the _cd field to correlate search results to a specific event not returning any values? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Why-is-a-join-on-the-cd-field-to-correlate-search-results-to-a/m-p/148311#M41483 <P>hi esumerfd,<BR /> try following these link below:<BR /> <A href="http://answers.splunk.com/answers/49/does-each-splunk-event-have-a-unique-identifier.html">http://answers.splunk.com/answers/49/does-each-splunk-event-have-a-unique-identifier.html</A><BR /> <A href="http://answers.splunk.com/answers/10256/get-bucket-ids-corresponding-to-events.html">http://answers.splunk.com/answers/10256/get-bucket-ids-corresponding-to-events.html</A></P> Wed, 15 Apr 2015 16:23:00 GMT gyslainlatsa 2015-04-15T16:23:00Z Why is a join on the _cd field to correlate search results to a specific event not returning any values? https://community.splunk.com/t5/Splunk-Search/Why-is-a-join-on-the-cd-field-to-correlate-search-results-to-a/m-p/148310#M41482 <P>I want to join with search results and correlate to the specific event. Trying <CODE>_cd</CODE> field, but it doesn't appear to return any values.</P> <PRE><CODE>index=main * | join _cd [search *] </CODE></PRE> <P>I was expecting to see some bucket and address values?</P> <PRE><CODE>earliest="-1s" * | rex field=_cd "(?&lt;bucket&gt;d+):(?&lt;address&gt;d+)" </CODE></PRE> Wed, 15 Apr 2015 16:19:21 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-a-join-on-the-cd-field-to-correlate-search-results-to-a/m-p/148310#M41482 esumerfd 2015-04-15T16:19:21Z Re: Why is a join on the _cd field to correlate search results to a specific event not returning any values? https://community.splunk.com/t5/Splunk-Search/Why-is-a-join-on-the-cd-field-to-correlate-search-results-to-a/m-p/148311#M41483 <P>hi esumerfd,<BR /> try following these link below:<BR /> <A href="http://answers.splunk.com/answers/49/does-each-splunk-event-have-a-unique-identifier.html">http://answers.splunk.com/answers/49/does-each-splunk-event-have-a-unique-identifier.html</A><BR /> <A href="http://answers.splunk.com/answers/10256/get-bucket-ids-corresponding-to-events.html">http://answers.splunk.com/answers/10256/get-bucket-ids-corresponding-to-events.html</A></P> Wed, 15 Apr 2015 16:23:00 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-a-join-on-the-cd-field-to-correlate-search-results-to-a/m-p/148311#M41483 gyslainlatsa 2015-04-15T16:23:00Z