Splunk Search

How to map an matching result from 1 query to another

saimack
New Member

Please help me in this query.
--I have a query which produces result like
uid user ip
1001 xyz 1.1.1.1
1002 abc 1.1.1.1
--another query which returns
ip logintime loginLength
xyz 10:00 180
abc 15:00 280

=>how can i combine the result like
uid loginlength
1001 180
1002 280

Thanks !

Tags (1)
0 Karma

raghu_vedic
Path Finder

first get the first query data i.e uid and user as index=your_index_name | stats count by uid user
then map it with second query as | map search="search index=your_index_name
ip=$user$
and then display as | stats first(loginLength) as $uid$

final query is
***index=your_index_name | stats count by uid user
| map search="search index=your_index_name
ip=$user$ | stats first(loginLength) as $uid$
* | transpose"**

0 Karma

jplumsdaine22
Influencer

It would be a great help if you posted your searches. Also check out this handy guide on event correlation:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Search/Abouteventcorrelation

0 Karma

somesoni2
Revered Legend

Without knowing your searches, the suggestion would be this

your first search giving uid, user, ip | append [ your second search  giving ip logintime loginLength ]  | stats values(loginLength) as loginLenght by uid

There may be an option to avoid subsearch, but we can see unless we see your actual searches.

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...