How to join below 2 indexes?

utkarsh_s · ‎01-08-2020

Join below 2 indexes on basis of user

index=_internal sourcetype=splunkd_ui_access q!=""
| rex field=uri_query "display\.page\.search\.mode=(?[^\&]+)"
| table _time host user q search_mode
| eval query=urldecode(q)
| where (search_mode="verbose") AND (user!="-")
| stats values(host) as hosts last(query) as query count(user) as "# of verbose searches" by user
| rename query as "Recent Verbose Search"
| fields user hosts "# of verbose searches" "Recent Verbose Search"
| sort - "# of verbose searches"

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT
"search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search _time | sort _time | convert ctime(_time)
| stats list(_time) as Time list(search) as Searches by user

johnathanpalosn · ‎01-08-2020

I'm still new to this so bear with me but couldn't you do something along the lines of:

(index=_internal sourcetype=splunkd_ui_access q!="") OR ( index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT
"search='typeahead" NOT "search='| metadata type=* | search totalCount>0")
| rex field=uri_query "display.page.search.mode=(?[^&]+)"
| stats count by user search _time | sort _time | convert ctime(_time)
| stats list(_time) as Time list(search) as Searches by user
| table _time host user q search_mode
| eval query=urldecode(q)
| where (search_mode="verbose") AND (user!="-")
| stats values(host) as hosts last(query) as query count(user) as "# of verbose searches" by user
| rename query as "Recent Verbose Search"
| fields user hosts "# of verbose searches" "Recent Verbose Search"
| sort - "# of verbose searches"

How to join below 2 indexes?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!