Splunk Search

How do i search two seperate indexes and then output values from fields returned from each index?

ezmo1982
Path Finder

Hi,

I am trying to search across two seperate indexes and then display fields returned from both indexes on a single line of my output. 

Both indexes have a common field named "user" and I am search both indexes using this field.

The first part is "index=mcafee_wg user= supplied value"  I want to search this  index for a given value for "user" field and to display the value of a field named "url" in my output. "url" is a field in this index.

I also want to search a different index with "index=cisco_fmc user= supplied value"  As above, I want to search this index for a given value for "user" field. From this index I want to display the value of a field named "detection" which is a field in this index.

So basically i want to combine these three fields together and output them on the same line, such as:

user       url           detection

value      value     value

Thanks!

Labels (3)
Tags (4)
0 Karma
1 Solution

aasabatini
Motivator

you can try 

(index=mcafee_wg user= supplied value") | join user[search index=cisco_fmc user= supplied value"] | table user url detection

 

be careful because splunk join comand works fine with a small set of data.

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

0 Karma

aasabatini
Motivator

Hi @ezmo1982 

but the user field needs to have the same values across the two indexes?

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

ezmo1982
Path Finder

Yes, the value of the user field needs to be the same across both indexes.

0 Karma

aasabatini
Motivator

you can try 

(index=mcafee_wg user= supplied value") | join user[search index=cisco_fmc user= supplied value"] | table user url detection

 

be careful because splunk join comand works fine with a small set of data.

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=mcafee_wg OR index=cisco_fmc user="supplied value"
| stats values(url) as url values(detection) as detection by user
0 Karma

ezmo1982
Path Finder

One thing I forgot to mention is that both indexes contain a field named "url". I am looking to output the "url" field from just the mcafee_wg index and not the cisco_fmc index.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=mcafee_wg OR index=cisco_fmc user="supplied value"
| eval url=if(index="mcafee_wg", url, null)
| stats values(url) as url values(detection) as detection by user
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...