Dashboards & Visualizations

Help with subsearch that returns 0 results

tayvionp
Explorer

I'm currently developing a splunk query that will query 2 indexes to correlate data by leveraging a users email, but  I'm not receiving any luck

 

 

 

index="A" Example="A" 
| dedup email 
| rename email AS actor
| join actor
    [search index="B"
    | table _time, actor, fileName, shared, url ]

 

 

I also tried this query as well

 

(index="A" Example="A" OR index="B")
| fields email
| where email = actor
| table _time, work_email, fileName, shared, url

 

Labels (2)
0 Karma
1 Solution

tayvionp
Explorer

I figured it out. I had to switch the indexes for the subsearch.

View solution in original post

tayvionp
Explorer

I figured it out. I had to switch the indexes for the subsearch.

richgalloway
SplunkTrust
SplunkTrust

it's unclear why the first query isn't producing results.  Perhaps the value of the email field is not an exact match for any values of the actor field.

The second query fails because the actor field was discarded by the fields command.  There's probably other reasons for failure, but resolve that one first.

 

---
If this reply helps you, an upvote would be appreciated.
0 Karma

tayvionp
Explorer

So, the field `example`  in the first query is a field used to filter the type of employees that I'm looking for. the field `email` is the field that I'm using to to correlate the data from `index="B"`.  The field `actor` contains the same field information from the field `email` from `index="A"` 

I used the renamed field `email` to `actor` to use the join command

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...