SPL Help for below scenerio

vikram1583 · ‎03-16-2020

search 1...|table src_ip
search 2: tag=authentication user!=*$ src_ip=xx.xx.xx.xx
| head 1
| table user src_ip

from search 1 result i need to find user so i have search 2 to find that but i want to show both results in one search i tried like this
search1....| table src_ip | join type=left src_ip [|search tag=authentication user!=*$ src_ip=$src_ip$ | head 1
| table user src_ip
but not able to find result can some one help

richgalloway · ‎03-16-2020

You were close. The subsearch should not try to match events itself - the join will do that.

search1....| fields src_ip | join type=left src_ip [|search tag=authentication user!=*$ | stats values(user) as user by src_ip]
| table user src_ip

---
If this reply helps you, Karma would be appreciated.

anmolpatel · ‎03-16-2020

@vikram1583 can you provide more detail about this? Maybe include an example

SPL Help for below scenerio

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

SPL Help for below scenerio

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future