Re: JOIN with search from 2 sources

garrywilmeth · ‎02-23-2023

Hi,

I am trying to figure out how to use join to table the results from 2 searches.

sourcetype=AAD_MSGraph_UserData

AAD_OnPremSID
AAD_Email
AAD_UserType
AAD_LastSignInDateTime
AAD_LastNonInteractiveSignInDateTime
AAD_LastPWChange

sourcetype=AD_UserData

AD_SID
AD_UserPrincipalName
AD_LastLogon

JOIN ON:

AAD_OnPremSID AND AD_SID

TABLE RESULTS:

AAD_OnPremSID, AAD_Email, AAD_UserType, AAD_LastPWChange, AAD_LastSignInDateTime, AAD_LastNonInteractiveSignInDateTime, AD_LastLogon

Thanks!

Garry

scelikok · ‎02-23-2023

Hi @garrywilmeth,

You can use below search without join.

index=your_index sourcetype=AAD_MSGraph_UserData OR sourcetype=AD_UserData 
| eval sid=coalesce(AAD_OnPremSID,AD_SID) 
| stats values(AAD_*) as * values(AD_LastLogon) as AD_LastLogon by AAD_OnPremSID 
| table AAD_OnPremSID AAD_Email AAD_UserType AAD_LastPWChange AAD_LastSignInDateTime AAD_LastNonInteractiveSignInDateTime AD_LastLogon

If this reply helps you an upvote and "Accept as Solution" is appreciated.

garrywilmeth · ‎03-15-2023

Hello,

I just got a chance to give this a try. It populated the SID in the table, but no other data for any of the other columns.

Thanks,

Garry

How to join with search from 2 sources?

join

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation