Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Compare search using join and subsearch in 2 different indexes

SplunkNewbie18
New Member
‎10-31-2019 12:44 AM

Hi,

I've got 2 index logs to do a comparison with for emails. So in my mind is to use subsearch and join - but doesnt seems to work. 😞

Condition:
If more than 5 emails with the same sender was detected, these results will compare with the other sets of index logs. Field comparison is by subject. Only when more than 5 counts of same sender in index emailA and any of the subject matches to the ones in index emailB, will trigger an alert.

My search:
index=emailA
| stats values(subject) as subject count by sender
| where count > 5
| join subject [|search index=emailB
| table subject]
| table count, subject, sender

Can help to see whats wrong with my query? 😞

0 Karma
Reply

woodcock
Esteemed Legend
‎11-09-2019 12:29 PM

Like this:

index=emailA
| stats values(subject) AS subject count BY sender
| search (count > 5) AND [search index=emailB | stats count BY subject | table subject ]
| table count, subject, sender
0 Karma
Reply

to4kawa
Ultra Champion
‎10-31-2019 06:14 AM 
index=emailA OR index=emailB
| streamstats dc(index) as dcSub by subject
| stats values(dcSub) as dcSub values(subject) as subject count by sender
| where count > 5 AND dcSub==2
| table count, subject, sender

Hi, How about it?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-31-2019 12:54 AM

Hi SplunkNewbie18,
probably subject isn't a field useful for comparison because could be some space or char.
In addition: how many results have in subsearch? remember that there's the limit of 50,000 results in subsearches.

Ciao.
Giuseppe

0 Karma
Reply

SplunkNewbie18
New Member
‎10-31-2019 01:52 AM

Ohh we can only base on the subject as there's no other matching fields to compare with between the 2 index. I can confirm that the subsearch fields is less than 50000. On average abt less than 50 results.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-31-2019 06:41 AM

Hi SplunkNewbie18,
let me understand: you want to display count, subject and sender that are from the first index and the first stats, so, why do you want the join?
Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...