Splunk Search

How to combine two searches so that I can get only those rows from Search2 whose Col-1 value is present in Search1 Col-1?

anil_kr01
Explorer

Hi

I have a serach which will gives the Top 4 records.

Example

Search1 result looks like

Col-1

ABC
DEF
GHI
JKL

I have one another search which gives the result like:

Search2 result looks like:

Col-1 Col-2

ABC 123
DEF 456
GHI 789
ABC 101
JKL 112
MNO 131
PQR 415
STU 161
VWX 718

How can I get the below result using the 2 searches above (Only those rows from Search2 whose Col-1 value is present in Search1 Col-1)?

Expected Final Result Table

Col-1 Col-2

ABC 123
DEF 456
GHI 789
ABC 101
JKL 112

Please guide/help me.

0 Karma

bainskaransingh
New Member

You can try this:

search2 | table Col1, col2| join Col1 [search search1| table Col1]

Please let me know if this doesn't work and mark as answered if it works

0 Karma

sundareshr
Legend

Try this...

source=A OR source=B | eventstats dc(source) as x by col1 | where x=1 AND source=B | table col1 col2
0 Karma

ctaf
Contributor

Hello,

Have you tried :

Query 2 [ Query 1 ]

anil_kr01
Explorer

I downvoted this post because the suggested way is not working....

0 Karma

anil_kr01
Explorer

I have tried that but it doesn't work 😞

0 Karma

ctaf
Contributor

Is the field name of Col-1 is the same in both queries?

0 Karma

anil_kr01
Explorer

Yes! it is same in both the query.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...