Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I need a way to join two searches from different indexes

psomeshwar
Path Finder
‎03-18-2024 07:43 AM

Currently, I need to join information from two different indexes. I cannot show the information as it is confidential, but I can give a general overview of what it should look like

Search:

index=index1 sourcetype=sourcetype1 | table ApplicationName, ApplicationVersion, ApplicationVendor, cid

Result:

ApplicationName   ApplicationVersion   ApplicationVendor   cid
name                             1.0.3                               vendor                            78fds87324
...
...

Search2:

index=index2 sourcetype=sourcetype2 | table hostname, user, cid

Result:

hostname                          user                    cid
domainname                   username        78fds87324
...
...

 

What I need is a way to show the ApplicationName, ApplicationVersion, ApplicationVendor, hostname and username all in one table connected through the cid. Anyone have any ideas?

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

psomeshwar
Path Finder
‎03-18-2024 09:10 AM

Hello @gcusello 

I managed to get it to work. The solution I used was:

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)
| rename cid as cid1
| rename jsonevent.cid as cid2
| eval jcid = coalesce(cid1, cid2)
| stats stats values(ApplicationName) AS ApplicationName values(ApplicationVersion) AS ApplicationVersion values(ApplicationVendor) AS ApplicationVendor values(hostname) AS hostname values(username) AS username BY jcid


Thanks, this thread helped me a lot

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-18-2024 07:56 AM

Start with this and see if that works for you - if not please try to explain with as much detail as you can as to why it doesn't work.

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2 )
| stats values(ApplicationName) as ApplicationName, values(ApplicationVersion) as ApplicationVersion, values(ApplicationVendor) as ApplicationVendor, values(hostname) as hostname, values(user) as user by cid
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-18-2024 07:55 AM

Hi @psomeshwar,

forget the join command because your search will be very slow!

You should try to use the stats command.

Are there some rule in your join? e.g. results presnt in both the indexes or only in one of them?

I give you the solution without constrains:

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)
| stats 
   values(ApplicationName) AS ApplicationName
   values(ApplicationVersion) AS ApplicationVersion
   values(ApplicationVendor) AS ApplicationVendor
   values(hostname) AS hostname
   values(username) AS username
   BY cid

Ciao.

Giuseppe

Reply
Solved! Jump to solution

psomeshwar
Path Finder
‎03-18-2024 08:16 AM

Hello,

Thanks, this does help a little, however, there is one problem. One of the indexes has their events in a json format, and the cid is formatted as jsonevent.cid. As a result, I am only getting one side of the events, and the other is blank. Is there a way to work aroudn this

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-18-2024 08:26 AM

Hi @psomeshwar ,

rename it to have the same field name:

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)
| rename jsonevent.cid AS cid
| stats 
   values(ApplicationName) AS ApplicationName
   values(ApplicationVersion) AS ApplicationVersion
   values(ApplicationVendor) AS ApplicationVendor
   values(hostname) AS hostname
   values(username) AS username
   BY cid

 Ciao.

Giuseppe

Reply
Solved! Jump to solution

psomeshwar
Path Finder
‎03-18-2024 08:31 AM

Hello @gcusello 

I tried that and it didn't work. Let me show how each search works:

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) | stats values(ApplicationName) AS ApplicationName values(ApplicationVersion) AS ApplicationVersion values(ApplicationVendor) AS ApplicationVendor values(hostname) AS hostname values(username) AS username BY cid

Result:

cid                     ApplicationName    ApplicationVersion   ApplicationVendor   hostname   username
743fsd234     AppName                   AppVersion                  AppVendor                  null                 null

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) | rename jsonevent.cid AS cid | stats values(ApplicationName) AS ApplicationName values(ApplicationVersion) AS ApplicationVersion values(ApplicationVendor) AS ApplicationVendor values(hostname) AS hostname values(username) AS username BY cid

Result:

cid                     ApplicationName    ApplicationVersion   ApplicationVendor   hostname   username
743fsd234     null                                null                                   null                                   hostname   username

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-18-2024 08:42 AM

Hi @psomeshwar,

what are the exact fieldnames of cid in both the indexes?

if they are cid and jsonevent.cid (it's a supposition, please confirm that), please try again the above solution, using the correct field name in the rename command.

 

Ciao.

Giuseppe

Reply
Solved! Jump to solution

psomeshwar
Path Finder
‎03-18-2024 08:48 AM

Hello @gcusello 

That is exactly what I did, the field name for cid in index1 is "cid" and the field name for cid in index2 is "jsonevent.cid" When I used the rename command, I only got the results from index2 and when I did not use the rename command, I only got the results from index1

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-18-2024 08:54 AM

Hi @psomeshwar ,

please try this:

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)
| eval cid=coalesce(cid,jsonevent.cid)
| stats 
   values(ApplicationName) AS ApplicationName
   values(ApplicationVersion) AS ApplicationVersion
   values(ApplicationVendor) AS ApplicationVendor
   values(hostname) AS hostname
   values(username) AS username
   BY cid

Ciao.

Giuseppe

Reply
Solved! Jump to solution
Solution

psomeshwar
Path Finder
‎03-18-2024 09:10 AM

Hello @gcusello 

I managed to get it to work. The solution I used was:

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)
| rename cid as cid1
| rename jsonevent.cid as cid2
| eval jcid = coalesce(cid1, cid2)
| stats stats values(ApplicationName) AS ApplicationName values(ApplicationVersion) AS ApplicationVersion values(ApplicationVendor) AS ApplicationVendor values(hostname) AS hostname values(username) AS username BY jcid


Thanks, this thread helped me a lot

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-18-2024 09:39 AM

Hi @psomeshwar ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...