Solved: Re: Combining 2 different search results based on ...

selim · ‎05-09-2013

Hello,

I have 2 different searches for 2 different sourcetypes with field extractions. I'm doing the field extractions for search1 for xml data.

search1:

sourcetype=xmlapp | xmlkv

search2:

sourcetype=app2

I'd like to combine searches in such a way that when field2 from search2 does NOT match any existing field1 from search1, I need to create an alert. Any help is greatly appreciated.

Ayn · ‎05-09-2013

I believe something like this should work:

sourcetype=xmlapp | xmlkv | search NOT [search sourcetype=app2 | rename field2 as field1 | fields field1]

View solution in original post

Ayn · ‎05-09-2013

I believe something like this should work:

sourcetype=xmlapp | xmlkv | search NOT [search sourcetype=app2 | rename field2 as field1 | fields field1]

Ayn · ‎05-05-2014

Hi @pramit46, I renamed it because the requirement was that values from field2 in the subsearch would be matched to values of field1 in the main search.

pramit46 · ‎05-01-2014

@Ayn, Can you please explain why did you rename the field2?
I also have the same question as that in Selim's comment. Any help would be appreciated.

selim · ‎05-15-2013

Thank you. That works for finding the events. So, how do display more fields (e.g. field1, field2, field3 from search#1 and field4, field5 from search#2) to the results so that I can display them in a table (or chart)? I tried fields command but was not successful.

Combining 2 different search results based on fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation