Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SPL Help for below scenerio

vikram1583
Explorer
‎03-16-2020 02:19 PM

search 1...|table src_ip
search 2: tag=authentication user!=*$ src_ip=xx.xx.xx.xx
| head 1
| table user src_ip

from search 1 result i need to find user so i have search 2 to find that but i want to show both results in one search i tried like this
search1....| table src_ip | join type=left src_ip [|search tag=authentication user!=*$ src_ip=$src_ip$ | head 1
| table user src_ip
but not able to find result can some one help

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-16-2020 05:59 PM

You were close. The subsearch should not try to match events itself - the join will do that.

search1....| fields src_ip | join type=left src_ip [|search tag=authentication user!=*$ | stats values(user) as user by src_ip]
| table user src_ip
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

anmolpatel
Builder
‎03-16-2020 04:39 PM

@vikram1583 can you provide more detail about this? Maybe include an example

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...