Dashboards & Visualizations

Help with subsearch that returns 0 results

tayvionp
Explorer

I'm currently developing a splunk query that will query 2 indexes to correlate data by leveraging a users email, but  I'm not receiving any luck

 

 

 

index="A" Example="A" 
| dedup email 
| rename email AS actor
| join actor
    [search index="B"
    | table _time, actor, fileName, shared, url ]

 

 

I also tried this query as well

 

(index="A" Example="A" OR index="B")
| fields email
| where email = actor
| table _time, work_email, fileName, shared, url

 

Labels (2)
0 Karma
1 Solution

tayvionp
Explorer

I figured it out. I had to switch the indexes for the subsearch.

View solution in original post

tayvionp
Explorer

I figured it out. I had to switch the indexes for the subsearch.

richgalloway
SplunkTrust
SplunkTrust

it's unclear why the first query isn't producing results.  Perhaps the value of the email field is not an exact match for any values of the actor field.

The second query fails because the actor field was discarded by the fields command.  There's probably other reasons for failure, but resolve that one first.

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

tayvionp
Explorer

So, the field `example`  in the first query is a field used to filter the type of employees that I'm looking for. the field `email` is the field that I'm using to to correlate the data from `index="B"`.  The field `actor` contains the same field information from the field `email` from `index="A"` 

I used the renamed field `email` to `actor` to use the join command

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...