How to join the result of an inputlookup and the o...

kemnean2001 · ‎05-28-2019

I have the following inputlookup

| inputlookup ad_identities |search sAMAccountName=unetho |table sAMAccountName, displayName, userPrincipalName

result:

ABCDE   First LastName  emailadress

index=pan_logs rule="VL-PROD_VL-LAPTOPS-no-log" src_user=*unetho 
|eval user_id=substr(src_user , 9, len(src_user )) 
|table user_id, app  | dedup user_id

result

ABCDE   SSL

The result id need is:

ABCDE   First LastName  emailadress    SSL    
where (ABCDE from 1ste query)= (ABCDE from 2e query)

vishaltaneja070 · ‎05-29-2019

@kemnean2001

Below query will help you:

    | inputlookup ad_identities |search sAMAccountName=unetho |table sAMAccountName, displayName, userPrincipalName | rename sAMAccountName as user_id
    | join user_id
    [search index=pan_logs rule="VL-PROD_VL-LAPTOPS-no-log" src_user=*unetho
    |eval user_id=substr(src_user , 9, len(src_user ))
    |table user_id, app | dedup user_id] | table user_id, displayName, userPrincipalName , app

ayushchoudhary · ‎05-29-2019

Hello kemnean2001,

join command is used to join to searches having atleast one same field.

https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Join

this link might help you.

How to join the result of an inputlookup and the output of a search?

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?