I have the following inputlookup
| inputlookup ad_identities |search sAMAccountName=unetho |table sAMAccountName, displayName, userPrincipalName
result:
ABCDE First LastName emailadress
index=pan_logs rule="VL-PROD_VL-LAPTOPS-no-log" src_user=*unetho
|eval user_id=substr(src_user , 9, len(src_user ))
|table user_id, app | dedup user_id
result
ABCDE SSL
The result id need is:
ABCDE First LastName emailadress SSL
where (ABCDE from 1ste query)= (ABCDE from 2e query)
@kemnean2001
Below query will help you:
| inputlookup ad_identities |search sAMAccountName=unetho |table sAMAccountName, displayName, userPrincipalName | rename sAMAccountName as user_id
| join user_id
[search index=pan_logs rule="VL-PROD_VL-LAPTOPS-no-log" src_user=*unetho
|eval user_id=substr(src_user , 9, len(src_user ))
|table user_id, app | dedup user_id] | table user_id, displayName, userPrincipalName , app
Hello kemnean2001,
join command is used to join to searches having atleast one same field.
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Join
this link might help you.