Splunk Search

How to combine two searches so that I can get only those rows from Search2 whose Col-1 value is present in Search1 Col-1?

anil_kr01
Explorer

Hi

I have a serach which will gives the Top 4 records.

Example

Search1 result looks like

Col-1

ABC
DEF
GHI
JKL

I have one another search which gives the result like:

Search2 result looks like:

Col-1 Col-2

ABC 123
DEF 456
GHI 789
ABC 101
JKL 112
MNO 131
PQR 415
STU 161
VWX 718

How can I get the below result using the 2 searches above (Only those rows from Search2 whose Col-1 value is present in Search1 Col-1)?

Expected Final Result Table

Col-1 Col-2

ABC 123
DEF 456
GHI 789
ABC 101
JKL 112

Please guide/help me.

0 Karma

bainskaransingh
New Member

You can try this:

search2 | table Col1, col2| join Col1 [search search1| table Col1]

Please let me know if this doesn't work and mark as answered if it works

0 Karma

sundareshr
Legend

Try this...

source=A OR source=B | eventstats dc(source) as x by col1 | where x=1 AND source=B | table col1 col2
0 Karma

ctaf
Contributor

Hello,

Have you tried :

Query 2 [ Query 1 ]

anil_kr01
Explorer

I downvoted this post because the suggested way is not working....

0 Karma

anil_kr01
Explorer

I have tried that but it doesn't work 😞

0 Karma

ctaf
Contributor

Is the field name of Col-1 is the same in both queries?

0 Karma

anil_kr01
Explorer

Yes! it is same in both the query.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...