Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create subsearch/join query to get extra field?

psimoes
Loves-to-Learn
‎08-02-2023 02:35 PM

I'm trying to do a simple query to get a hostname from events in a different sourcetype. I have a event in sourcetype A, which don't have a field "host_name". This field is present in sourcetype B. The index is the same, let's call it X. Both events can be matched through the field "sensor_id". I want to retrieve the field "process_command_line" from sourcetype A and host_name from sourcetype B, for the events that match the same "sensor_id" field. Here's a sample query that works:

 

 

index=X sourcetype=B [search index=X sourcetype=A | table sensor_id] | table sensor_id host_name

 

 

However, I also need to retrieve the process_command_line, which is only present in sourcetype A. If I add that to the subsearch, it retrieves zero results:

 

 

index=X sourcetype=B [search index=X sourcetype=A | table sensor_id process_command_line] | table sensor_id host_name process_command_line

 

 

Any idea how can I retrieve all three fields?

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2023 02:46 PM 
index=X (sourcetype=A OR sourcetype=B)
| stats values(process_command_line) as process_command_line values(host_name) as host_name by sensor_id
0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...