Re: Join command not working - Splunk Community

Splunk Search

I want to extend the results of the first search : add the column category (from the 2 search) to the results of the 1 search.

The results of the first search appear:

The results of the 2 search are also present:

2 datasets have one common field dns_query .

But using join command no matches are found in these 2 datasets are found (it`s impossible, because I checked some of the dns_query )

Any ideas what can be wrong?

1st search result dns_query:
XXX.google.com

2nd search result dns_query:
XXX.google.com.

There is extra asterisk on 2nd search.

[search `umbrella`|fields category dns_query| eval dns_query=dns_query."."]

how about this?

While google.com exists in the dns_query fields, there isn't a complete match hence no results. You should evaluate the presence of google.com into another field in both searches and join on that field.

| rex field=dns_query "(?<google>google.com)"

You need to specify dns_query in the second search

[search `umbrella`|fields category dns_query]

Have tried already both variants, not working 😞

Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...