Re: Join Command

syazwani · ‎10-11-2022

Hi peeps,

I want to join below information result in one table:

but the result is not consist of 2nd query information. please help. thankyou.

richgalloway · ‎10-11-2022

The append command gives you two separate sets of results and it's up to the author to put them together. That's usually done with the stats command.

index=sslvpn
| iplocation src_ip
| search Country != Malaysia
| eval Country = if(isnull(Country),"unknown",Country)
| table _time, user,src_ip,Country,action
| append
     [search index=sslvpn group_path="ADL"
     | iplocation accessIP
     | where Country !="Malaysia"
     | rename accessIP as src_ip]
| stats values(*) as * by src_ip
| rename user as "User ID", src_ip as "Source IP" action as "Status"

If you want to do the same with using join:

index=sslvpn
| iplocation src_ip
| search Country != Malaysia
| eval Country = if(isnull(Country),"unknown",Country)
| table _time, user,src_ip,Country,action
| join src_ip
     [search index=sslvpn group_path="ADL"
     | iplocation accessIP
     | where Country !="Malaysia"
     | rename accessIP as src_ip]
| rename user as "User ID", src_ip as "Source IP" action as "Status"

---
If this reply helps you, Karma would be appreciated.

How to join information into one table?

using Enterprise Security

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life