Splunk Search

How to join two indexes with a search

JandrevdM
Path Finder

Good day,

I want to join two indexes to show all the email addresses that the user have that signed in. 

This queries my mimecast signin logs 

index=db_mimecast splunkAccountCode=* mcType=auditLog | dedup user | table _time, user | sort _time desc


Lets say it returns a user@domain.com that singed in.

I want to then join this to show all the info from 

index=collect_identities sourcetype=ldap:query
| dedup email
| eval identity=replace(identity, "Adm0", "")
| eval identity=replace(identity, "Adm", "")
| eval identity=lower(identity)
| table email extensionAttribute10 extensionAttribute11 first last identity
| stats 
     values(email) AS email
     values(extensionAttribute10) AS extensionAttribute10
     values(extensionAttribute11) AS extensionAttribute11
     values(first) AS first
     values(last) AS last
     BY identity


I tried inner join but I do not have anything that match since my results come back as this for my second query

identityemailextensionAttribute10extensionAttribute11firstlast
USurnameuser@domain.com
userT1@domain.com
user@domain.com
user@domain.com
user@another.com
user@domain.com
userSurname

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The join command is very inefficient and not always necessary.  Try this query using a subsearch.

index=collect_identities sourcetype=ldap:query [ search index=db_mimecast splunkAccountCode=* mcType=auditLog
  |fields user
  | dedup user
  | eval email=user, extensionAttribute10=user, extensionAttribute11=user
  | fields email extensionAttribute10 extensionAttribute11
  | format "(" "(" "OR" ")" "OR" ")" 
  ]
| dedup email
| eval identity=replace(identity, "Adm0", "")
| eval identity=replace(identity, "Adm", "")
| eval identity=lower(identity)
| table email extensionAttribute10 extensionAttribute11 first last identity
| stats 
     values(email) AS email
     values(extensionAttribute10) AS extensionAttribute10
     values(extensionAttribute11) AS extensionAttribute11
     values(first) AS first
     values(last) AS last
     BY identity

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The join command is very inefficient and not always necessary.  Try this query using a subsearch.

index=collect_identities sourcetype=ldap:query [ search index=db_mimecast splunkAccountCode=* mcType=auditLog
  |fields user
  | dedup user
  | eval email=user, extensionAttribute10=user, extensionAttribute11=user
  | fields email extensionAttribute10 extensionAttribute11
  | format "(" "(" "OR" ")" "OR" ")" 
  ]
| dedup email
| eval identity=replace(identity, "Adm0", "")
| eval identity=replace(identity, "Adm", "")
| eval identity=lower(identity)
| table email extensionAttribute10 extensionAttribute11 first last identity
| stats 
     values(email) AS email
     values(extensionAttribute10) AS extensionAttribute10
     values(extensionAttribute11) AS extensionAttribute11
     values(first) AS first
     values(last) AS last
     BY identity

 

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...