Archive

Join Two Searches Using Matching ID - But Different Field Name

Path Finder

Greetings,

Our developers are logging what user views a particular web page and flag it via the "ID" field. If a user also runs a query within the web page during that session, it logs the query in a different table using the "URLREQUESTID". The ID and the URLREQUESTID are the same value. How can I join the two searches based on the value in the "ID" field in that first search I mentioned.

Basically I want to list the pages they viewed and any corresponding queries they ran in one report/output. Thanks for any help.

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

try this:

(index=A  ID=xyz) OR (index=B  URL_REQUEST_ID=xyz) 
 | rename URL_REQUEST_ID as ID
 | table index ID .. all the required fields
 | stats values(*) as * by ID

~~I AM BACK

0 Karma