Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search for value of FieldA, then search FieldB, Match if contains $FieldA, then pull field_C from event with match.

ArmbrusterC
Explorer
‎04-08-2015 05:57 PM

I want to do a search for field_A in index_A. The value of field_A contains a URL minus any http(s), or query terms. I then want to use the value of field_A and search field_B from index_B for values containing it. If field_B contains field_A I want splunk to pull the value of field_C from index_B within the same event/log entry.
I have tried a few different iterations of the search but cannot seem to get the value from field_A to carry as a search term for field_B. I have read many different answer pages, and wikis. I thought I was on the right track with return, or fields commands but I am stuck.

" 
earliest =-7d index=index_A sourcetype=source_A  field_A=* | fields field_A | dedup field_A | eval = result [ search earliest=-7d index=index_B sourcetype=source_B field_B=<$field_A> ]  | fields field_B
"

This one above is a simplified attempt, it does not work but I hope it shows the order I am trying to do things in. index_B is quite large so I want to search index_A first.

0 Karma
Reply

ramdaspr
Contributor
‎04-08-2015 06:09 PM

The join command might be useful here.

earliest =-7d index=index_A sourcetype=source_B  field_B=* | fields field_B,field_C | join type=inner field_B [ search earliest=-7d index=index_A sourcetype=source_A | fields field_A | dedup field_A | rename field_A as field_B ]  | fields field_B,field_C

If I understood the question correctly, then an inner join on the larger table B with table A would give the required output.

0 Karma
Reply

ArmbrusterC
Explorer
‎04-08-2015 08:22 PM

Thank you for the quick answer ramdaspr.
Im wondering why we are searching index_a for sourcetype_b which is not in that index. Does the JOIN statement take care of this?
I will test it when I get an opportunity and let you know.

0 Karma
Reply

ramdaspr
Contributor
‎04-08-2015 08:25 PM

My bad, it should be index_B at the start. Basically keep the larger index outside of the subsearch.

0 Karma
Reply

sree6494
New Member
‎05-19-2020 07:07 AM

is there a way we can get the count of main search before join and the final count after performing the join?

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...