Re: Join command not working - Splunk Community

Splunk Search

I want to extend the results of the first search : add the column category (from the 2 search) to the results of the 1 search.

The results of the first search appear:

The results of the 2 search are also present:

2 datasets have one common field dns_query .

But using join command no matches are found in these 2 datasets are found (it`s impossible, because I checked some of the dns_query )

Any ideas what can be wrong?

1st search result dns_query:
XXX.google.com

2nd search result dns_query:
XXX.google.com.

There is extra asterisk on 2nd search.

[search `umbrella`|fields category dns_query| eval dns_query=dns_query."."]

how about this?

While google.com exists in the dns_query fields, there isn't a complete match hence no results. You should evaluate the presence of google.com into another field in both searches and join on that field.

| rex field=dns_query "(?<google>google.com)"

You need to specify dns_query in the second search

[search `umbrella`|fields category dns_query]

Have tried already both variants, not working 😞

Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...