Splunk Search

Join 2 searches which has common fields as 2 different field name with same value

Dharani
Path Finder

Hi, 

My main goal is to find user id.

Index=A sourcetype=signlogs outcome=failure

The above search has a field name called processId but it doesn't have the userId which I needed.

Index=A sourcetype=accesslogs -->This search has a SignatureProcessId( which is same as processId in the search1) and also it has userId.

So I need to join these 2 query with common field as processId/SignatureProcessId

I tried the below query but it results 0 events:

Index=A sourcetype=signlogs outcome=failure 

| dedup processId | rename processId as SignatureProcessId | join type=inner SignatureProcessId [Index=A sourcetype=accesslogs | dedup SignatureProcessId ] 

| Table _time, SignatureProcessId, userId

 

Someone please help with fixing this query.

Labels (4)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=A (sourcetype=signlogs outcome=failure) OR (sourcetype=accesslogs)
| eval processId=coalesce(processId, SignatureProcessId)
| eventstats values(userId) as userId by processId
0 Karma

Dharani
Path Finder

Hi, 

It's not working.

It results all the logs for sourcetype=accesslogs.

But our aim is to join the 2 sourcetypes to get userId for failure logs

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share some anonymised sample events in a code block for both source types demonstrating the common fields you want to use to correlate the events by.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...