Solved: How do you Join two searches based on lookup value...

ADRIANODL · ‎02-18-2019

Hi folks,

I have 2 searches that return equivalent values based on the result of a lookup, as such:

Search 1

index=alpha tag=email SenderAddress=*@domain.com 
| table *Email_Address*, Name

Search 2

index=alpha sourcetype="activities"
| spath
| search "tags{}.category_id"=USBTFR
|rex field=User_Name "(?\w{3,6})" 
|eval User_Name=upper(User_Name) 
|lookup tablename LogonID as User_Name OUTPUT *EmailAddress*

How can I join the result of the two searches based on the EmailAddress field?

woodcock · ‎02-18-2019

Like this:

index=alpha ((tag=email SenderAddress=*@domain.com) OR (index=alpha sourcetype="activities"))
| spath
| search "tags{}.category_id"=USBTFR OR (tag=email SenderAddress=*@domain.com)
| rex field=User_Name "(?\w{3,6})" 
| eval User_Name=upper(User_Name) 
| lookup tablename LogonID AS User_Name OUTPUT EmailAddressOther
| eval EmailAddress=coalesce(EmailAddress, EmailAddressOther)
| fields - EmailAddressOther And Perhaps Other Fields Too
| stats values(*) AS * BY EmailAddress

View solution in original post

woodcock · ‎02-18-2019

Like this:

index=alpha ((tag=email SenderAddress=*@domain.com) OR (index=alpha sourcetype="activities"))
| spath
| search "tags{}.category_id"=USBTFR OR (tag=email SenderAddress=*@domain.com)
| rex field=User_Name "(?\w{3,6})" 
| eval User_Name=upper(User_Name) 
| lookup tablename LogonID AS User_Name OUTPUT EmailAddressOther
| eval EmailAddress=coalesce(EmailAddress, EmailAddressOther)
| fields - EmailAddressOther And Perhaps Other Fields Too
| stats values(*) AS * BY EmailAddress

ADRIANODL · ‎02-18-2019

Thanks for the prompt response folks, however I'm looking to return calculated values from both indexes. I'll create another question to include it.

bangalorep · ‎02-18-2019

Does using |join EmailAddress not provide the search you want?

How do you Join two searches based on lookup values?

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

How do you Join two searches based on lookup values?

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard