Re: Combining search based on field value

thampton · ‎08-31-2020

Hello all,

I have two search strings that pull information - one pulls all the blocked emails and the second pulls the emails blocked due to the rule it was blocked on and the file name. I would like to combine these searches so that the table has the additional "File Name" field whenever the rule the email is being blocked on is a certain value.

Search 1:

index=index_name sourcetype=sourcetype_name
| stats count by _time, email_domain, rule_name, email_ID

Search 2:

index=index_name sourcetype=sourcetype_name rule=hasFile file_name=*
| table _time, email_ID, file

Note:
Both searches have the email_ID that match and I've been trying to use that value to no avail.

Thanks in advance for the assistance!

ITWhisperer · ‎08-31-2020

Are both searches on the same index and sourcetype? If not, would a left join by email_ID be useful here?

The first search includes a count - is this still required and if so do you also want to count by file name as well?

Combining search based on field value

eval

fields

join

stats

table

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Combining search based on field value