Splunk Enterprise Security

Adding field from one search to another

New Member

Hello All on Splunk Answer.

I have following very simple search:

*index=*proxy domain="somedomain.com"
| stats values(url) values(action) values(respcode) count by src_ip

In events from proxy I don't have information about user who accessed urls and I wanted to get this information from Windows related events:
by following search:

index=*windows EventCode=4624 Source_Workstation!="-" AND user!="*$"
| stats count by src_ip,user]

Is there any sollution how to add user field to stats table for accessing particular domain ?
I though about using join appendcols commands.

Thanks a lot for your help.

0 Karma


Yeah don’t use join or append. They have limits. Do both root searches together with an or. Then stats that together


There are limits, but you're not likely to hit them unless you have massive data sets and don't filter well

0 Karma


Can you please try this?

(index=proxy domain="somedomain.com") OR (index=windows EventCode=4624 Source_Workstation!="-" AND user!="$")
| stats values(url) as url values(action) as action values(respcode) as respcode values(user) as user count by src_ip 
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...