Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to join two sources with common one common field ?

zacksoft_wf
Contributor
‎12-01-2021 03:17 AM

I have sourcetype A that has info about service_accounts such as name, AU, email , full_name, manager_name.
But some of the events in source A, do not contain the field  email , manager_name, full_name field. In those cases I have to look into another index and sourcetype, say B to fetch those data. AU is the common field name in both . Can we join the data, without having to use 'join' for performance issue ?

 

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-01-2021 03:21 AM

Hi

this is doable and even preferred way to join those without join. Here is couple of links how to do it and why those are better ways.

r. Ismo

0 Karma
Reply

zacksoft_wf
Contributor
‎12-01-2021 05:00 AM

I am trying to make it work. Here is my SPL, and this one works and gives me the expected results. and I am having trouble converting it to a stats .

===================================================================
`index=bayseian` account_type="Service Account" OR cred="False" OR type=W
| join type=left au
[ search index=alts sourcetype=auxilary 
| fields service_account_id,service_account_name,au,owner_elid,au_owner_name,au_owner_email ]
| eval pwd_expires=if(nopassexpire==1, "True", "False"), account_type=if(type=="S", "Service Account", account_type)
| eval elid=coalesce(elid,owner_elid)
| eval au_owner_email=coalesce(email_address,au_owner_email)
| eval au_owner_name=coalesce(full_name,au_owner_name)
| eval service_accout_name=coalesce(cn,service_account_name)
| eval service_account_id=coalesce(service_account_id,app_id)
| rename acct_name as user, account_type as type
| eventstats dc(sourcetype) as dc_st
| where dc_st>1
| eval user=lower(user)
| dedup user
| rex field=user "[^:]+:(?<user>[^\s]+)"
| table user type pwd_expires is_interactive service_account_id service_account_name au au_owner_name job_title au_owner_email owner_elid manager_name lob
| eval _key=user+".key"
==============================================================

Any help please?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...