Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I merge two splunk queries together?

Taibat02230232
Loves-to-Learn
‎11-29-2022 03:44 PM

I have two Splunk queries 1 and 2 below, and both have one common email , i want the searched emails generated from the result which are email variable to be able to send an alert notification base on the search result generated email.

I need the common value to have the field with matching values in both queries which is the email , then be able to send an email alert notification

Query-1

index="aws-cloudtrail" eventName="AssumeRoleWithSAML" |fields *
| spath "requestParameters.roleArn" |search "*super*admin*"
| rex field=responseElements.subject "(?<Email>[a-zA-Z0-9]{1,8}@digitlogs.com$)"
| search Email=*
| table Email,"recipientAccountId"
| dedup Email, "recipientAccountId"

Query-2

index="okta" displayMessage="Authenticate user with AD agent"
| rename target{}.alternateId as email
| eval my_ponies=mvindex(email, -3, -2)
| eval Email=mvindex(email, 0)
| eval email=mvindex(email, 1)
| table Email email

Here are the two of them, please any input will help

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-29-2022 11:46 PM

Hi @Taibat02230232,

if you're sure that one of the searches has less than 50,000 results, you can use append:

index="aws-cloudtrail" eventName="AssumeRoleWithSAML" 
| spath "requestParameters.roleArn" 
| search "*super*admin*"
| rex field=responseElements.subject "(?<Email>[a-zA-Z0-9]{1,8}@digitlogs.com$)"
| search Email=*
| table Email,"recipientAccountId"
| dedup Email, "recipientAccountId"
| append search
   index="okta" displayMessage="Authenticate user with AD agent"
   | rename target{}.alternateId as email
   | eval my_ponies=mvindex(email, -3, -2)
   | eval Email=mvindex(email, 0)
   | eval email=mvindex(email, 1)
   | table Email email
   ]
| stats 
   values(recipientAccountId) AS recipientAccountId 
   values(email) AS email 
   BY Email

otherwise you have to use a more complex search.

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...