Join 3 source types with common field which matche...

Splunk Search

Hi All, I have query below which joins 3 sources 1,2,3 on id field, this works when id values matches across 3 sources, I have 1 additional condition for the ids could also match with substring matching for example-
id1=F80C05F3-19AF-40D3-AC73-19544E928D21
id2=XOP-F80C05F3-19AF-40D3-AC73-19544E928D21
id3=ABC-F80C05F3-19AF-40D3-AC73-19544E928D21
the query below needs modified for substring matching based on id1 existing in id2 or id3 and it needs to return the results , how can this query below be modified ?

splunk query-
sourcetype=source1 id1="*" OR sourcetype=source2 id2="*" OR sourcetype=source3 id2="*"
Id=coalesce(id1,id2,id3)
| stats count by Id sourcetype
| xyseries Id sourcetype count | fillnull source1 source2 source3 value="Not exists"
| table source1 source2 source3

Get Updates on the Splunk Community!

Join 3 source types with common field which matches on substring

join

stats

subsearch

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL