How to join information into one table?

syazwani · ‎10-11-2022

Hi peeps,

I want to join below information result in one table:

but the result is not consist of 2nd query information. please help. thankyou.

richgalloway · ‎10-11-2022

The append command gives you two separate sets of results and it's up to the author to put them together. That's usually done with the stats command.

index=sslvpn
| iplocation src_ip
| search Country != Malaysia
| eval Country = if(isnull(Country),"unknown",Country)
| table _time, user,src_ip,Country,action
| append
     [search index=sslvpn group_path="ADL"
     | iplocation accessIP
     | where Country !="Malaysia"
     | rename accessIP as src_ip]
| stats values(*) as * by src_ip
| rename user as "User ID", src_ip as "Source IP" action as "Status"

If you want to do the same with using join:

index=sslvpn
| iplocation src_ip
| search Country != Malaysia
| eval Country = if(isnull(Country),"unknown",Country)
| table _time, user,src_ip,Country,action
| join src_ip
     [search index=sslvpn group_path="ADL"
     | iplocation accessIP
     | where Country !="Malaysia"
     | rename accessIP as src_ip]
| rename user as "User ID", src_ip as "Source IP" action as "Status"

---
If this reply helps you, Karma would be appreciated.

How to join information into one table?

using Enterprise Security

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control