Splunk Search
Highlighted

How to combine two searches so that I can get only those rows from Search2 whose Col-1 value is present in Search1 Col-1?

Explorer

Hi

I have a serach which will gives the Top 4 records.

Example

Search1 result looks like

Col-1

ABC
DEF
GHI
JKL

I have one another search which gives the result like:

Search2 result looks like:

Col-1 Col-2

ABC 123
DEF 456
GHI 789
ABC 101
JKL 112
MNO 131
PQR 415
STU 161
VWX 718

How can I get the below result using the 2 searches above (Only those rows from Search2 whose Col-1 value is present in Search1 Col-1)?

Expected Final Result Table

Col-1 Col-2

ABC 123
DEF 456
GHI 789
ABC 101
JKL 112

Please guide/help me.

0 Karma
Highlighted

Re: How to combine two searches so that I can get only those rows from Search2 whose Col-1 value is present in Search1 Col-1?

Contributor

Hello,

Have you tried :

Query 2 [ Query 1 ]
Highlighted

Re: How to combine two searches so that I can get only those rows from Search2 whose Col-1 value is present in Search1 Col-1?

Explorer

I have tried that but it doesn't work 😞

0 Karma
Highlighted

Re: How to combine two searches so that I can get only those rows from Search2 whose Col-1 value is present in Search1 Col-1?

Contributor

Is the field name of Col-1 is the same in both queries?

0 Karma
Highlighted

Re: How to combine two searches so that I can get only those rows from Search2 whose Col-1 value is present in Search1 Col-1?

Explorer

Yes! it is same in both the query.

0 Karma
Highlighted

Re: How to combine two searches so that I can get only those rows from Search2 whose Col-1 value is present in Search1 Col-1?

Explorer

I downvoted this post because the suggested way is not working....

0 Karma
Highlighted

Re: How to combine two searches so that I can get only those rows from Search2 whose Col-1 value is present in Search1 Col-1?

Legend

Try this...

source=A OR source=B | eventstats dc(source) as x by col1 | where x=1 AND source=B | table col1 col2
0 Karma
Highlighted

Re: How to combine two searches so that I can get only those rows from Search2 whose Col-1 value is present in Search1 Col-1?

New Member

You can try this:

search2 | table Col1, col2| join Col1 [search search1| table Col1]

Please let me know if this doesn't work and mark as answered if it works

0 Karma