Splunk Search

SPL search query to combine two tables

MikeJu25
Path Finder

Hi,

I have database table and anomaly table. Both tables have a field database_id. Now I am interested in the status and confidence fields in anomaly table as well as data_source and ip fields in database table. I want to combine them into one table based on the database_id. I tried some queries like below but its result was not as expected. 

 

 

 

index=anomalies | JOIN type=left database_id [SEARCH index=assets] | fields anomaly_id, confidence, current_status, database_id, source_type, ip 

 

 

 

 How could I write a query that returns a table showing the info for all anomalies as well as the database info related to that anomaly using database_id as a bridge? 

Thank you in advance!

Regards,

Labels (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

In what way were they not as expected?

0 Karma

MikeJu25
Path Finder

Seems like it works for now! Thank you!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...