Re: subsearch/join query to get extra field

psimoes · ‎08-02-2023

I'm trying to do a simple query to get a hostname from events in a different sourcetype. I have a event in sourcetype A, which don't have a field "host_name". This field is present in sourcetype B. The index is the same, let's call it X. Both events can be matched through the field "sensor_id". I want to retrieve the field "process_command_line" from sourcetype A and host_name from sourcetype B, for the events that match the same "sensor_id" field. Here's a sample query that works:

index=X sourcetype=B [search index=X sourcetype=A | table sensor_id] | table sensor_id host_name

However, I also need to retrieve the process_command_line, which is only present in sourcetype A. If I add that to the subsearch, it retrieves zero results:

index=X sourcetype=B [search index=X sourcetype=A | table sensor_id process_command_line] | table sensor_id host_name process_command_line

Any idea how can I retrieve all three fields?

ITWhisperer · ‎08-02-2023

index=X (sourcetype=A OR sourcetype=B)
| stats values(process_command_line) as process_command_line values(host_name) as host_name by sensor_id

How to create subsearch/join query to get extra field?

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation