I'm trying to search between 2 indexes that correl...

payton_tayvion · ‎02-11-2021

I'm trying to search between 2 indexes that correlates field value to return back certain fields.

For example index a has the fieldname named src_ip and index b has a fieldname named src. The values are the same, but the fieldname are different. I want to use these values to correlate the data, but I want to also return field names that aren't in index a, but located in index b.

Here's my current quey.

index=a categories="media"
| where bytes_out > bytes_in 
| fields _time, cs_user, src_ip, cs_auth_group, cs_host, cs_method, status, bytes_in, bytes_out, cs_User_Agent
| eval src=src_ip
| join src
    [ search index=b 
    | fields log_subtype, cat]

scelikok · ‎02-11-2021

Hi @payton_tayvion,

You should keep src field on subsearch in order to be able to join. Please try below;

index=a categories="media"
| where bytes_out > bytes_in 
| fields _time, cs_user, src_ip, cs_auth_group, cs_host, cs_method, status, bytes_in, bytes_out, cs_User_Agent
| eval src=src_ip
| join src
    [ search index=b 
    | fields src, log_subtype, cat]

If this reply helps you an upvote and "Accept as Solution" is appreciated.

I'm trying to search between 2 indexes that correlates field value to return back certain fields.

join

subsearch

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

I'm trying to search between 2 indexes that correlates field value to return back certain fields.

join

subsearch

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey