Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Join 2 searches which has common fields as 2 different field name with same value

Dharani
Path Finder
‎11-08-2023 10:22 AM

Hi, 

My main goal is to find user id.

Index=A sourcetype=signlogs outcome=failure

The above search has a field name called processId but it doesn't have the userId which I needed.

Index=A sourcetype=accesslogs -->This search has a SignatureProcessId( which is same as processId in the search1) and also it has userId.

So I need to join these 2 query with common field as processId/SignatureProcessId

I tried the below query but it results 0 events:

Index=A sourcetype=signlogs outcome=failure 

| dedup processId | rename processId as SignatureProcessId | join type=inner SignatureProcessId [Index=A sourcetype=accesslogs | dedup SignatureProcessId ] 

| Table _time, SignatureProcessId, userId

 

Someone please help with fixing this query.

Labels (4)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-08-2023 10:36 AM

Try something like this

index=A (sourcetype=signlogs outcome=failure) OR (sourcetype=accesslogs)
| eval processId=coalesce(processId, SignatureProcessId)
| eventstats values(userId) as userId by processId
0 Karma
Reply

Dharani
Path Finder
‎11-14-2023 11:06 PM

Hi, 

It's not working.

It results all the logs for sourcetype=accesslogs.

But our aim is to join the 2 sourcetypes to get userId for failure logs

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-15-2023 12:46 AM

Please share some anonymised sample events in a code block for both source types demonstrating the common fields you want to use to correlate the events by.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...