Combining search based on field value

thampton · ‎08-31-2020

Hello all,

I have two search strings that pull information - one pulls all the blocked emails and the second pulls the emails blocked due to the rule it was blocked on and the file name. I would like to combine these searches so that the table has the additional "File Name" field whenever the rule the email is being blocked on is a certain value.

Search 1:

index=index_name sourcetype=sourcetype_name
| stats count by _time, email_domain, rule_name, email_ID

Search 2:

index=index_name sourcetype=sourcetype_name rule=hasFile file_name=*
| table _time, email_ID, file

Note:
Both searches have the email_ID that match and I've been trying to use that value to no avail.

Thanks in advance for the assistance!

ITWhisperer · ‎08-31-2020

Are both searches on the same index and sourcetype? If not, would a left join by email_ID be useful here?

The first search includes a count - is this still required and if so do you also want to count by file name as well?

Combining search based on field value

eval

fields

join

stats

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation

Combining search based on field value

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.