Compare identical fields from 2 searches

bigrichie90 · ‎09-19-2014

I have 2 searches which I appended and I am trying to search based on a matching session ID (to find details of a remote session). For some reason the values are not matching and returns 0 results. However, when I manually type in the session it works correctly.

One more question, there are 2 rows that come up since I am appending searches. How can I combine both rows into one?

Here is my query. . . first query is bolded for readability as well as tail end that apply to both searches.

sk314 · ‎09-19-2014

Use "join" command like so:

sourcetype=uag user=bigrichie90 action=added | eval sessionAdded=session | head 1
    | join session [search sourcetype=uag user=bigrichie90 action=removed | eval sessionRemoved=session |head 1 ] 
    | where sessionAdded==sessionRemoved

Since you can specify the exact field to join on, you don't even need the eval statements. The following statement should do just fine.

sourcetype=uag user=bigrichie90 action=added | join session [search sourcetype=uag user=bigrichie90 action=removed ]

For more information: http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Join

sk314 · ‎09-19-2014

Yes, It is expensive. You could try using transaction, like so:

sourcetype=uag user=bigrichie90 | transaction session

If you need more information on event grouping and correlation:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Search/Abouteventcorrelation

Also, this flowchart when in doubt! 🙂

http://docs.splunk.com/File:Search_event_grouping_flowchart.png

Jeff_Lightly_Sp · ‎09-19-2014

Thanks for the flowchart link - this will come in handy!

bigrichie90 · ‎09-19-2014

Wouldn't join impact performance? I was trying to stay away from joining.

Compare identical fields from 2 searches

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor