Splunk Search
Highlighted

SPL Help for below scenerio

Explorer

search 1...|table srcip
search 2: tag=authentication user!=*$ src
ip=xx.xx.xx.xx
| head 1
| table user src_ip

from search 1 result i need to find user so i have search 2 to find that but i want to show both results in one search i tried like this
search1....| table srcip | join type=left srcip [|search tag=authentication user!=*$ srcip=$srcip$ | head 1
| table user src_ip
but not able to find result can some one help

0 Karma
Highlighted

Re: SPL Help for below scenerio

Builder

@vikram1583 can you provide more detail about this? Maybe include an example

0 Karma
Highlighted

Re: SPL Help for below scenerio

SplunkTrust
SplunkTrust

You were close. The subsearch should not try to match events itself - the join will do that.

search1....| fields src_ip | join type=left src_ip [|search tag=authentication user!=*$ | stats values(user) as user by src_ip]
| table user src_ip
---
If this reply helps you, an upvote would be appreciated.
0 Karma