Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to map an matching result from 1 query to another

saimack
New Member
‎02-14-2016 10:16 PM

Please help me in this query.
--I have a query which produces result like
uid user ip
1001 xyz 1.1.1.1
1002 abc 1.1.1.1
--another query which returns
ip logintime loginLength
xyz 10:00 180
abc 15:00 280

=>how can i combine the result like
uid loginlength
1001 180
1002 280

Thanks !

Tags (1)
0 Karma
Reply

raghu_vedic
Path Finder
‎03-25-2016 04:33 AM

first get the first query data i.e uid and user as index=your_index_name | stats count by uid user
then map it with second query as | map search="search index=your_index_name
ip=$user$ and then display as | stats first(loginLength) as $uid$

final query is
***index=your_index_name | stats count by uid user
| map search="search index=your_index_name
ip=$user$ | stats first(loginLength) as $uid$* | transpose"**

0 Karma
Reply

jplumsdaine22
Influencer
‎02-15-2016 09:49 AM

It would be a great help if you posted your searches. Also check out this handy guide on event correlation:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Search/Abouteventcorrelation

0 Karma
Reply

somesoni2
Revered Legend
‎02-15-2016 09:02 AM

Without knowing your searches, the suggestion would be this

your first search giving uid, user, ip | append [ your second search  giving ip logintime loginLength ]  | stats values(loginLength) as loginLenght by uid

There may be an option to avoid subsearch, but we can see unless we see your actual searches.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...