Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to join below 2 indexes?

utkarsh_s
New Member
‎01-08-2020 08:28 AM

Join below 2 indexes on basis of user

index=_internal sourcetype=splunkd_ui_access q!=""
| rex field=uri_query "display\.page\.search\.mode=(?[^\&]+)"
| table _time host user q search_mode
| eval query=urldecode(q)
| where (search_mode="verbose") AND (user!="-")
| stats values(host) as hosts last(query) as query count(user) as "# of verbose searches" by user
| rename query as "Recent Verbose Search"
| fields user hosts "# of verbose searches" "Recent Verbose Search"
| sort - "# of verbose searches"

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT
"search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search _time | sort _time | convert ctime(_time)
| stats list(_time) as Time list(search) as Searches by user
Tags (1)
0 Karma
Reply

johnathanpalosn
Engager
‎01-08-2020 10:10 AM

I'm still new to this so bear with me but couldn't you do something along the lines of:

(index=_internal sourcetype=splunkd_ui_access q!="") OR ( index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT
"search='typeahead" NOT "search='| metadata type=* | search totalCount>0")
| rex field=uri_query "display.page.search.mode=(?[^&]+)"
| stats count by user search _time | sort _time | convert ctime(_time)
| stats list(_time) as Time list(search) as Searches by user
| table _time host user q search_mode
| eval query=urldecode(q)
| where (search_mode="verbose") AND (user!="-")
| stats values(host) as hosts last(query) as query count(user) as "# of verbose searches" by user
| rename query as "Recent Verbose Search"
| fields user hosts "# of verbose searches" "Recent Verbose Search"
| sort - "# of verbose searches"

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...