Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do you Join two searches based on lookup value...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ADRIANODL
Explorer
02-18-2019
08:29 PM
Hi folks,
I have 2 searches that return equivalent values based on the result of a lookup, as such:
Search 1
index=alpha tag=email SenderAddress=*@domain.com
| table *Email_Address*, Name
Search 2
index=alpha sourcetype="activities"
| spath
| search "tags{}.category_id"=USBTFR
|rex field=User_Name "(?\w{3,6})"
|eval User_Name=upper(User_Name)
|lookup tablename LogonID as User_Name OUTPUT *EmailAddress*
How can I join the result of the two searches based on the EmailAddress field?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
02-18-2019
08:45 PM
Like this:
index=alpha ((tag=email SenderAddress=*@domain.com) OR (index=alpha sourcetype="activities"))
| spath
| search "tags{}.category_id"=USBTFR OR (tag=email SenderAddress=*@domain.com)
| rex field=User_Name "(?\w{3,6})"
| eval User_Name=upper(User_Name)
| lookup tablename LogonID AS User_Name OUTPUT EmailAddressOther
| eval EmailAddress=coalesce(EmailAddress, EmailAddressOther)
| fields - EmailAddressOther And Perhaps Other Fields Too
| stats values(*) AS * BY EmailAddress
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
02-18-2019
08:45 PM
Like this:
index=alpha ((tag=email SenderAddress=*@domain.com) OR (index=alpha sourcetype="activities"))
| spath
| search "tags{}.category_id"=USBTFR OR (tag=email SenderAddress=*@domain.com)
| rex field=User_Name "(?\w{3,6})"
| eval User_Name=upper(User_Name)
| lookup tablename LogonID AS User_Name OUTPUT EmailAddressOther
| eval EmailAddress=coalesce(EmailAddress, EmailAddressOther)
| fields - EmailAddressOther And Perhaps Other Fields Too
| stats values(*) AS * BY EmailAddress
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ADRIANODL
Explorer
02-18-2019
09:30 PM
Thanks for the prompt response folks, however I'm looking to return calculated values from both indexes. I'll create another question to include it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bangalorep
Communicator
02-18-2019
08:42 PM
Does using |join EmailAddress not provide the search you want?
Get Updates on the Splunk Community!
Infographic provides the TL;DR for the 2024 Splunk Career Impact Report
We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
