Solved: Help needed with inner join with different field n...

harryhcg · ‎01-24-2023

Can someone help with query?

I have 2 index abc and bcz
From abc index I want to show stats for field1
where field2 from index abc matches with field3 of index bcz
and bcz index field5="value"

what I tried which is not working:

index=abc

| stats count by field1

| join type=inner field2

[search index=bcz
| rename field3 as field2

| where field5="employee_name"]

ITWhisperer · ‎01-24-2023

Try something like this

index=abc [search index=bcz 
  | where field5="employee_name"
  | rename field3 as field2
  | fields field2]
| stats count by field1

View solution in original post

ITWhisperer · ‎01-24-2023

Try something like this

index=abc [search index=bcz 
  | where field5="employee_name"
  | rename field3 as field2
  | fields field2]
| stats count by field1

harryhcg · ‎01-24-2023

@ITWhisperer You are awesome, I was so stupid.
Thank you.

Help needed with inner join with different field name and a filter

join

subsearch

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector