Hi,
We are looking to join 2 searches using a field called UserID
Can someone help us? Below are the basic searches.
From subset of search 1, we want to join search1 and search2 on field "Userid"
index=main host="server1" sourceID="code1" Code="Empty" Method="account"
Status="false" Count="1"
index=main host="server1" sourceID="code1" Code="Social" Method="account"
Status="true" Count="2"
Like this:
index=main host="server1" sourceID="code1" Method="account" (Code="Empty" Status="false" Count="1") OR (Code="Social" Status="true" Count="2")
| fields - Status Count
| stats values(*) AS * by Userid
Hi splunker9999,
how about this:
index=main host="server1" sourceID="code1" ( Code="Empty" Method="account" Status="false" Count="1" ) OR ( Code="Social" Method="account" Status="true" Count="2" )
| stats values(*) AS * by Userid
You can be more specific and replace the values(*) AS *
with parameter like this values(Code) AS Code
or values(Status) AS Status
.
More details about this topic can be found here https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... or in the March 2016 session of the virtual .conf http://wiki.splunk.com/Virtual_.conf
Hope this helps ...
cheers, MuS