Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SPL Help for below scenerio

vikram1583
Explorer
‎03-16-2020 02:19 PM

search 1...|table src_ip
search 2: tag=authentication user!=*$ src_ip=xx.xx.xx.xx
| head 1
| table user src_ip

from search 1 result i need to find user so i have search 2 to find that but i want to show both results in one search i tried like this
search1....| table src_ip | join type=left src_ip [|search tag=authentication user!=*$ src_ip=$src_ip$ | head 1
| table user src_ip
but not able to find result can some one help

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-16-2020 05:59 PM

You were close. The subsearch should not try to match events itself - the join will do that.

search1....| fields src_ip | join type=left src_ip [|search tag=authentication user!=*$ | stats values(user) as user by src_ip]
| table user src_ip
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

anmolpatel
Builder
‎03-16-2020 04:39 PM

@vikram1583 can you provide more detail about this? Maybe include an example

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...