Building for the Splunk Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to join 2 search

supriyagaw08
Explorer
‎12-11-2020 03:04 AM

Hello all,

I want to join 2 search based upon one common filed from both the search , 

index=14 search_name="Daily Counts" |rename A_USER_NM as USER_NM|table Date USER_NM FILE_ID FILE_NM filecount| join USER_NM
[ search index=14 earliest=-24h@h latest=now sourcetype=user source=O  001
| dedup USER_NM
| table USER_NM USER_ID indicator ]

I tried above search its working but its not displaying all results, few records are getting missed, let me know where am I making mistake or any other method that i can use.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

nickhills
Ultra Champion
‎12-11-2020 03:22 AM

A direct answer to the question using join:

 

index=14 search_name="Daily Counts" 
|rename A_USER_NM as USER_NM
|table Date USER_NM FILE_ID FILE_NM filecount
| join type=left max=0 USER_NM
[ search index=14 earliest=-24h@h latest=now sourcetype=user source=O  001
| dedup USER_NM
| table USER_NM USER_ID indicator ]

 

I am unclear if  the dedup in the subsearch is necessary if you are missing results?

However, there are normally better/more efficient ways of obtaining the same results with stats, but it might help to see some sample data to provide you with a stats example

If my comment helps, please give it a thumbs up!
0 Karma
Reply

supriyagaw08
Explorer
‎12-11-2020 03:37 AM

HI @nickhills  thanks for the reply but i used this and its showing the fileds USER_ID indicator as blanks even i remove dedup.

The output from my search 1 is Date| A_USER_NM| FILE_ID FILE_NM |filecount and output 2 has many fields from which i want only USER_ID and indicator. Both search has common index but different search reports

0 Karma
Reply

nickhills
Ultra Champion
‎12-11-2020 03:52 AM

That would suggest the second search is not finding any matches.  Are you sure that USER_NM is the correct field to match on (does it also need renaming perhaps?)

If you just run your second search, do you see results for USER_NM and USER_ID in the same rows?

If my comment helps, please give it a thumbs up!
0 Karma
Reply

supriyagaw08
Explorer
‎12-15-2020 12:37 AM

Hi @nickhills thanks for your help the issue was with search 2 it was not giving complete search I was looking for , fixed that and issue was resolved.

Reply

supriyagaw08
Explorer
‎12-11-2020 04:01 AM

@nickhills user_nm is correct common field between 2 search, also yes in output of second search USER_NM and USER_ID are in same row

0 Karma
Reply

nickhills
Ultra Champion
‎12-11-2020 04:09 AM

Just because you wrote "user_nm" (and this may be a silly question) do both search results have the field USER_NM in upper case? Fieldnames (in the join) would be case sensitive.

From what you are saying, it sounds like the search should work. Are you able to provide a screenshot (with redactions etc) of all the searches?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...