How to create subsearch/join query to get extra fi...

psimoes · ‎08-02-2023

I'm trying to do a simple query to get a hostname from events in a different sourcetype. I have a event in sourcetype A, which don't have a field "host_name". This field is present in sourcetype B. The index is the same, let's call it X. Both events can be matched through the field "sensor_id". I want to retrieve the field "process_command_line" from sourcetype A and host_name from sourcetype B, for the events that match the same "sensor_id" field. Here's a sample query that works:

index=X sourcetype=B [search index=X sourcetype=A | table sensor_id] | table sensor_id host_name

However, I also need to retrieve the process_command_line, which is only present in sourcetype A. If I add that to the subsearch, it retrieves zero results:

index=X sourcetype=B [search index=X sourcetype=A | table sensor_id process_command_line] | table sensor_id host_name process_command_line

Any idea how can I retrieve all three fields?

ITWhisperer · ‎08-02-2023

index=X (sourcetype=A OR sourcetype=B)
| stats values(process_command_line) as process_command_line values(host_name) as host_name by sensor_id

How to create subsearch/join query to get extra field?

subsearch

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)