Join 2 searches which has common fields as 2 diffe...

Dharani · ‎11-08-2023

Hi,

My main goal is to find user id.

Index=A sourcetype=signlogs outcome=failure

The above search has a field name called processId but it doesn't have the userId which I needed.

Index=A sourcetype=accesslogs -->This search has a SignatureProcessId( which is same as processId in the search1) and also it has userId.

So I need to join these 2 query with common field as processId/SignatureProcessId

I tried the below query but it results 0 events:

Index=A sourcetype=signlogs outcome=failure

| dedup processId | rename processId as SignatureProcessId | join type=inner SignatureProcessId [Index=A sourcetype=accesslogs | dedup SignatureProcessId ]

| Table _time, SignatureProcessId, userId

Someone please help with fixing this query.

ITWhisperer · ‎11-08-2023

Try something like this

index=A (sourcetype=signlogs outcome=failure) OR (sourcetype=accesslogs)
| eval processId=coalesce(processId, SignatureProcessId)
| eventstats values(userId) as userId by processId

Dharani · ‎11-14-2023

Hi,

It's not working.

It results all the logs for sourcetype=accesslogs.

But our aim is to join the 2 sourcetypes to get userId for failure logs

ITWhisperer · ‎11-15-2023

Please share some anonymised sample events in a code block for both source types demonstrating the common fields you want to use to correlate the events by.

Join 2 searches which has common fields as 2 different field name with same value

fields

join

subsearch

table

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...