topic Re: Is there a way to APPEND events based on a field value from main search? in Splunk Search

Is there a way to APPEND events based on a field value from main search?

jedatt01 — Tue, 29 Sep 2020 08:33:33 GMT

I have a use case where a user will input a username and Splunk should return results for that username. But, there are seperate events related that username which do not contain the username field, but instead have the same mac address field. The following command is what I wish would work, but I know the append command doesn't allow you to pass data from the main search.

index=my_index UserName=myuser | table _time UserName MacAddress Message | append MacAddress [search index=my_index | table _time UserName MacAddress Message]

Does anybody know how I can acomplish this?

Re: Is there a way to APPEND events based on a field value from main search?

s2_splunk — Tue, 26 Jan 2016 20:35:56 GMT

Have you taken a look at the join command?
Here's a good blog post on event correlation

Hope this helps!

Re: Is there a way to APPEND events based on a field value from main search?

somesoni2 — Tue, 26 Jan 2016 20:39:22 GMT

You sample query says both the searches have a field called UserName, Is that a typo?

Re: Is there a way to APPEND events based on a field value from main search?

jedatt01 — Tue, 26 Jan 2016 23:08:39 GMT

From what I understand the join command will join the fields of two events together. What I need to to be able to append the events but the append needs to be based on a common field

Re: Is there a way to APPEND events based on a field value from main search?

kbecker — Wed, 27 Jan 2016 02:04:54 GMT

Does the MacAddress field exist in both events? If so "join" would work.

Re: Is there a way to APPEND events based on a field value from main search?

somesoni2 — Wed, 27 Jan 2016 03:09:14 GMT

So if you want to append result of 2nd search to result of 1st search based on a field (common) from the result of 1st search, you need to use syntax like this. The append function doesn't offer any functionality to append conditionally. You have to use a subsearch in the 2nd search:
Updated

index=my_index UserName=myuser | table _time UserName MacAddress Message 
| append [search index=my_index [search index=my_index UserName=myuser | stats count by MacAddress | table MacAddress ]| table _time UserName MacAddress Message]

Re: Is there a way to APPEND events based on a field value from main search?

chimell — Wed, 27 Jan 2016 11:04:04 GMT

Hi jedatt01
Try this search code

| set union [search index=my_index UserName=myuser| fields _time MacAddress Message] [search index=my_index NOT UserName| fields  _time MacAddress Message]|table _time MacAddress Message

Re: Is there a way to APPEND events based on a field value from main search?

jedatt01 — Wed, 27 Jan 2016 13:23:15 GMT

This worked with one change in the syntax, Remove the MacAddress from after | append

 index=my_index UserName=myuser | table _time UserName MacAddress Message 
 | append [search index=my_index [search index=my_index UserName=myuser | stats count by MacAddress | table MacAddress ]| table _time UserName MacAddress Message]

Re: Is there a way to APPEND events based on a field value from main search?

somesoni2 — Thu, 28 Jan 2016 01:54:40 GMT

Ohh.. cut copy paste error. Updated the answer.