Matching records from 2 different indexes with a l...

sherins · ‎01-14-2020

I have 2 indexes and need to get only a records of field that exists in both indexes.

One of the index has to filter events based on a look up file and then the resultant set should match with the other index for output.
Need the splunk query for same.

to4kawa · ‎01-20-2020

index=firstindex OR index=secondindex   
[|inputlookup mylookup.csv field1]
|stats dc(index) as flag by field1
|where flag>1
|table field1

Hi, @sherins
this is assuming field1 is the common field among indexes.
how about this?

...everybody wants to join the searches...

ashajambagi · ‎01-19-2020

 index=secondindex
 | join field1 
     [ search index=firstindex
     |lookup mylookup.csv field1 as field1
     | table field1] ]

jawaharas · ‎01-19-2020

Assuming field1 is the common field among indexes and lookup file, try below query.

index=index-1
| join field1 
    [ search index=index-2 
    | table field1 
    | search 
        [| inputlookup mylookup.csv 
        | table field1] ]

Matching records from 2 different indexes with a look up

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

Video | Tom’s Smartness Journey Continues

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?