Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to join information into one table?

syazwani
Path Finder
‎10-11-2022 02:30 AM

Hi peeps,

I want to join below information result in one table:

1st query
index=sslvpn
| iplocation src_ip
| search Country != Malaysia
| eval Country = if(isnull(Country),"unknown",Country)
| table _time, user,src_ip,Country,action
| rename user as "User ID", src_ip as "Source IP", action as "Status"

2nd query
index=sslvpn group_path="ADL"
| iplocation accessIP
| where Country !="Malaysia"
| table _time, user,accessIP,Country,action

i try to join this table as below query:

index=sslvpn
| iplocation src_ip
| search Country != Malaysia
| eval Country = if(isnull(Country),"unknown",Country)
| table _time, user,src_ip,Country,action
| append
     [search index=sslvpn group_path="ADL"
     | iplocation accessIP
     | where Country !="Malaysia"
     | rename accessIP as src_ip]
| rename user as "User ID", src_ip as "Source IP" action as "Status"

but the result is not consist of 2nd query information. please help. thankyou.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-11-2022 05:41 AM

The append command gives you two separate sets of results and it's up to the author to put them together.  That's usually done with the stats command.

index=sslvpn
| iplocation src_ip
| search Country != Malaysia
| eval Country = if(isnull(Country),"unknown",Country)
| table _time, user,src_ip,Country,action
| append
     [search index=sslvpn group_path="ADL"
     | iplocation accessIP
     | where Country !="Malaysia"
     | rename accessIP as src_ip]
| stats values(*) as * by src_ip
| rename user as "User ID", src_ip as "Source IP" action as "Status"

If you want to do the same with using join:

index=sslvpn
| iplocation src_ip
| search Country != Malaysia
| eval Country = if(isnull(Country),"unknown",Country)
| table _time, user,src_ip,Country,action
| join src_ip
     [search index=sslvpn group_path="ADL"
     | iplocation accessIP
     | where Country !="Malaysia"
     | rename accessIP as src_ip]
| rename user as "User ID", src_ip as "Source IP" action as "Status"
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...