search 1...|table src_ip
search 2: tag=authentication user!=*$ src_ip=xx.xx.xx.xx
| head 1
| table user src_ip
from search 1 result i need to find user so i have search 2 to find that but i want to show both results in one search i tried like this
search1....| table src_ip | join type=left src_ip [|search tag=authentication user!=*$ src_ip=$src_ip$ | head 1
| table user src_ip
but not able to find result can some one help
You were close. The subsearch should not try to match events itself - the join
will do that.
search1....| fields src_ip | join type=left src_ip [|search tag=authentication user!=*$ | stats values(user) as user by src_ip]
| table user src_ip
@vikram1583 can you provide more detail about this? Maybe include an example