Archive

How to join below 2 indexes?

New Member

Join below 2 indexes on basis of user

index=_internal sourcetype=splunkd_ui_access q!=""
| rex field=uri_query "display\.page\.search\.mode=(?[^\&]+)"
| table _time host user q search_mode
| eval query=urldecode(q)
| where (search_mode="verbose") AND (user!="-")
| stats values(host) as hosts last(query) as query count(user) as "# of verbose searches" by user
| rename query as "Recent Verbose Search"
| fields user hosts "# of verbose searches" "Recent Verbose Search"
| sort - "# of verbose searches"

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT
"search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search _time | sort _time | convert ctime(_time)
| stats list(_time) as Time list(search) as Searches by user
Tags (1)
0 Karma

I'm still new to this so bear with me but couldn't you do something along the lines of:

(index=_internal sourcetype=splunkd_ui_access q!="") OR ( index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT
"search='typeahead" NOT "search='| metadata type=* | search totalCount>0")
| rex field=uri_query "display.page.search.mode=(?[^&]+)"
| stats count by user search _time | sort _time | convert ctime(_time)
| stats list(_time) as Time list(search) as Searches by user
| table _time host user q search_mode
| eval query=urldecode(q)
| where (search_mode="verbose") AND (user!="-")
| stats values(host) as hosts last(query) as query count(user) as "# of verbose searches" by user
| rename query as "Recent Verbose Search"
| fields user hosts "# of verbose searches" "Recent Verbose Search"
| sort - "# of verbose searches"

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!