Splunk Search

How do i search two seperate indexes and then output values from fields returned from each index?

ezmo1982
Path Finder

Hi,

I am trying to search across two seperate indexes and then display fields returned from both indexes on a single line of my output. 

Both indexes have a common field named "user" and I am search both indexes using this field.

The first part is "index=mcafee_wg user= supplied value"  I want to search this  index for a given value for "user" field and to display the value of a field named "url" in my output. "url" is a field in this index.

I also want to search a different index with "index=cisco_fmc user= supplied value"  As above, I want to search this index for a given value for "user" field. From this index I want to display the value of a field named "detection" which is a field in this index.

So basically i want to combine these three fields together and output them on the same line, such as:

user       url           detection

value      value     value

Thanks!

Labels (3)
Tags (4)
0 Karma
1 Solution

aasabatini
Motivator

you can try 

(index=mcafee_wg user= supplied value") | join user[search index=cisco_fmc user= supplied value"] | table user url detection

 

be careful because splunk join comand works fine with a small set of data.

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

0 Karma

aasabatini
Motivator

Hi @ezmo1982 

but the user field needs to have the same values across the two indexes?

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

ezmo1982
Path Finder

Yes, the value of the user field needs to be the same across both indexes.

0 Karma

aasabatini
Motivator

you can try 

(index=mcafee_wg user= supplied value") | join user[search index=cisco_fmc user= supplied value"] | table user url detection

 

be careful because splunk join comand works fine with a small set of data.

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=mcafee_wg OR index=cisco_fmc user="supplied value"
| stats values(url) as url values(detection) as detection by user
0 Karma

ezmo1982
Path Finder

One thing I forgot to mention is that both indexes contain a field named "url". I am looking to output the "url" field from just the mcafee_wg index and not the cisco_fmc index.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=mcafee_wg OR index=cisco_fmc user="supplied value"
| eval url=if(index="mcafee_wg", url, null)
| stats values(url) as url values(detection) as detection by user
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...