Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I join these two searches?

IRHM73
Motivator
‎08-28-2015 01:00 AM

Hi, I wonder whether someone may be able to help me please.

I'm using the following searches:

Search 1 - "EI Auth"

Auth - index="main" auditSource=*auth* auditType=LoginEntitlements detail.Ref=* 
| stats count by detail.Ref 
| rename detail.Ref AS REF

*Search 2 - "EI Microservice" *

MicroService - auditSource="ei-microservice" detail.StatusCode="*" 
| stats count by detail.ERef 
| rename detail.ERef AS REF

What I'm trying to do is join the two using the field REF, but despite looking at the tutorial on the Splunk documentation and receiving help here I've still been unable the join the two.

Could someone perhaps show me please how I can join the two searches, and could you also confirm for me please whether I have to run the two searches separately before running the 'Join' search?

Many thanks and kind regards

Chris

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎08-28-2015 02:18 AM

First, use OR to get both:

(auditSource=auth auditType=LoginEntitlements detail.Ref=*) OR (auditSource="ei-microservice" detail.StatusCode="*" )

Secondly, use eval's coalesce() to push the two into a new field:

| eval REF = coalesce(detail.ERef, detail.Ref)

Thirdly, perform the glorious stats count

| stats count by REF

Does that do what you're looking for ?

Edit: To answer your question, when to use join:

alt text

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎08-28-2015 02:18 AM

First, use OR to get both:

(auditSource=auth auditType=LoginEntitlements detail.Ref=*) OR (auditSource="ei-microservice" detail.StatusCode="*" )

Secondly, use eval's coalesce() to push the two into a new field:

| eval REF = coalesce(detail.ERef, detail.Ref)

Thirdly, perform the glorious stats count

| stats count by REF

Does that do what you're looking for ?

Edit: To answer your question, when to use join:

alt text

Preview file
1 KB
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-28-2015 07:31 AM

Is this flowchart PNG a creation by @aljohnson or someone else? Is there a broader context (maybe other great flowcharts) that I can see online?

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎08-29-2015 01:22 AM

@woodcock the flowchart is from the docs, here, and the information within in it provided by @sideview (Nick Mealy)

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎08-29-2015 09:41 AM

o/ It's true the flowchart was included in the docs based on a nearly identical flowchart that I made years ago. Needs some updating probably. Maybe even an expansion of scope beyond just row aggregation. It comes in most handy when you try to explain to relatively new splunkers why they really shouldn't use join or append. Somewhat early on join clicks with new users, particularly those with SQL experience and they think of it as a primary tool. It is not. It is an edge case tool, where stats and eval are the primary tools. Short Version: If you think you need to use join, go find this flow chart and it'll probably tell you there's a better way.

Reply
Solved! Jump to solution

IRHM73
Motivator
‎08-28-2015 04:01 AM

Hi @aljohnson, I've had problems with Splunk this morning, and I think that this was the cause of the problems because the query is now showing no results found.

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎08-28-2015 04:10 AM

Sounds frustrating. If you need help on this query once you've resolved your other issues, you can @ mention me here again 🙂

0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎08-28-2015 04:17 AM

That's great, I really appreciate it.

Kind Regards

Chris

0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎08-28-2015 02:27 AM

Hi @aljohnson many thanks for taking the time to come back to me with this, I've tested the solution and unfortunately this doesn't return any statistics although it does return events.

Could you also possibly explain to me please in what situation would you use a join query?

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎08-28-2015 03:08 AM

I know for sure that this should world - it should return statistics...
What you're asking to do is very easy - searching over two sourcetypes to count two fields.
Are you sure there isn't anything you're leaving out of your examples ?

I've updated my question to include a flowchart.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...