How to combine 2 searches with same value and fiel...

Allene139 · ‎04-11-2022

I have 2 searches and I want to link 2 together in one table.

The first search:

index=very_big_index caseNumber=1234567799

| table _time Name caseNumber UID phone.

This displays the following as expected, but the phone field is blank:

_time	Name	caseNumber	UID	phone
11APR2022	John Smith	1234567799	111222333444555666777

The second search with the UID yields the phone number but nothing else:

index=very_big_index 111222333444555666777
| stats values(phone) as phone

results:

phone

123-555-1234

How can I efficiently link these 2 searches together using the common field name/value of UID/111222333444555666777

Stefanie · ‎04-12-2022

In your first search,

index=very_big_index caseNumber=1234567799

| table _time Name caseNumber UID phone

Is phone blank because the value should be "phone_number"?

Does this search not return your results?

index=very_big_index caseNumber=1234567799

| table _time Name caseNumber UID phone_number

Allene139 · ‎04-12-2022

Apologies for the confusion. The name of the field is "phone." But I used "phone_number" when I was sanitizing the data for this post. I fixed the post. Thank you

Allene139 · ‎04-12-2022

That didn't work. The phone number field is blank. But thank you.

blbr123 · ‎04-11-2022

index=very_big_index caseNumber=1234567799 111222333444555666777 | stats values(phone_number) as phone by _time Name caseNumber UID

How to combine 2 searches with same value and field name.

join

subsearch

transaction

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!