https://community.splunk.com/t5/Splunk-Search/Join-fields-from-two-indexes-using-fields-that-match-partially/m-p/191935#M55234 <P>I'm not sure what end result you are trying to achieve, but you could probably use a calculated field...</P> <PRE><CODE>eval match=if(like(URL, %vulnerabledomain%), 1, 0) </CODE></PRE> <P>Then, filter to match=1 and do your join on match. Or, you may not even need to perform a join, and can run stats, etc. off the calculated field.</P> Tue, 24 Mar 2015 13:54:29 GMT masonmorales 2015-03-24T13:54:29Z https://community.splunk.com/t5/Splunk-Search/Join-fields-from-two-indexes-using-fields-that-match-partially/m-p/191932#M55231 <P>Hello,</P> <P>I have two indexes one containing a list of webpages that has been accessed (Index A) and another containing a list of vulnerable sites/domains/files and their description(Index B).</P> <P>I would like to join these two indexes in order to see the vulnerable websites that have been accessed. A normal join operation doesn't quite cut it because the "value" field from index B can be a word that can appear anywhere in the "webpage" field of index A.</P> <P>Any idea how i can perform such a join ? </P> <P>Regards,<BR /> David</P> Mon, 23 Mar 2015 12:34:08 GMT https://community.splunk.com/t5/Splunk-Search/Join-fields-from-two-indexes-using-fields-that-match-partially/m-p/191932#M55231 DavidHourani 2015-03-23T12:34:08Z https://community.splunk.com/t5/Splunk-Search/Join-fields-from-two-indexes-using-fields-that-match-partially/m-p/191933#M55232 <P>Joins are expensive and should be avoided (if there are alternatives).</P> <P>If your indexB has fewer records (&lt;1000 for example) you can try following</P> <PRE><CODE>index=indexA sourcetype=sourcetypeA [search index=indexB sourcetype=sourcetypeB | stats count by value | table value | eval webpage="*".value."*" | table webpage ] </CODE></PRE> Mon, 23 Mar 2015 17:58:00 GMT https://community.splunk.com/t5/Splunk-Search/Join-fields-from-two-indexes-using-fields-that-match-partially/m-p/191933#M55232 somesoni2 2015-03-23T17:58:00Z https://community.splunk.com/t5/Splunk-Search/Join-fields-from-two-indexes-using-fields-that-match-partially/m-p/191934#M55233 <P>Thank you for your reply... I was hoping I could avoid lookups to do this.. what do you think ? would it be possible to output the useful fields from the smaller index into CSV then use them a lookup ? if so how would I handle the <CODE>"*".value."*"</CODE> ?</P> Tue, 24 Mar 2015 13:17:09 GMT https://community.splunk.com/t5/Splunk-Search/Join-fields-from-two-indexes-using-fields-that-match-partially/m-p/191934#M55233 DavidHourani 2015-03-24T13:17:09Z https://community.splunk.com/t5/Splunk-Search/Join-fields-from-two-indexes-using-fields-that-match-partially/m-p/191935#M55234 <P>I'm not sure what end result you are trying to achieve, but you could probably use a calculated field...</P> <PRE><CODE>eval match=if(like(URL, %vulnerabledomain%), 1, 0) </CODE></PRE> <P>Then, filter to match=1 and do your join on match. Or, you may not even need to perform a join, and can run stats, etc. off the calculated field.</P> Tue, 24 Mar 2015 13:54:29 GMT https://community.splunk.com/t5/Splunk-Search/Join-fields-from-two-indexes-using-fields-that-match-partially/m-p/191935#M55234 masonmorales 2015-03-24T13:54:29Z https://community.splunk.com/t5/Splunk-Search/Join-fields-from-two-indexes-using-fields-that-match-partially/m-p/191936#M55235 <P>Here we are supposing that the same event contains both fields ? The two fields I wish to match are in different events so I have to join those 2 events based on whether a part of the key matches in both of them</P> Fri, 10 Apr 2015 11:40:20 GMT https://community.splunk.com/t5/Splunk-Search/Join-fields-from-two-indexes-using-fields-that-match-partially/m-p/191936#M55235 DavidHourani 2015-04-10T11:40:20Z