Splunk search on two different indexes and retriev...

armanih · ‎09-06-2020

Hi All,

I have two indexes.

Index A | table email_users
Index B | table email, Group

email_users and email fields contain email addresses

I need to match both these index fields and get the value of the field Group for the results.

I tried the below query, but its not working.

index=A or index=B
| rename email_users as email
| stats values(Group) by email

thambisetty · ‎09-08-2020

index=A or index=B
| eval new_email=coalesce(email,email_users)
| stats dc(index) as dc_index values(Group) as values_Group by new_email
| where dc_index=2

values_Group is just renaming values(Group).

Run the above query to see matching results.

————————————
If this helps, give a like below.

thambisetty · ‎09-06-2020

index=A or index=B
| eval new_email=coalesce(email,email_users)
| stats values(Group) as values_Group by new_email

to return only matched values use below query:

index=A or index=B
| eval new_email=coalesce(email,email_users)
| stats dc(index) as dc_index values(Group) as values_Group by new_email
| where dc_index=2

————————————
If this helps, give a like below.

armanih · ‎09-07-2020

Thanks @thambisetty

Can you please explain what is values_Group in stats command
" | stats values(Group) as values_Group by new_email "

The query is not working. I am only getting the list of emails and not the groups.

thanks

Splunk search on two different indexes and retrieve a matching value from one index

correlation search

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms