Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Subsearch with multiple field matching

andrewkenth
Communicator
‎11-12-2013 07:58 AM

Everyday I bring in events (with a logon id, USER below) and a list of approved users. I want to compare the 2 lists together and show unmatched USER fields, but only for the same date between the event list and the approved users list comes in. Currently I am matching but I seem to be joining across all dates. How do I limit the join to only the same date (and USER)?

index=charlesriver sourcetype=CrdApp_Events EVENT=LOGIN 
| bucket span=1d _time 
| stats count first(_time) as Date by USER 
| search NOT 
   [search index=charlesriver sourcetype=CrdApp_Users 
   | bucket span=1d _time 
   | stats count first(_time) as Date by USER_NAME
   | table USER_NAME|rename USER_NAME as USER]
Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎11-12-2013 08:32 AM

One option can be to use join

index=charlesriver sourcetype=CrdApp_Events EVENT=LOGIN 
| bucket span=1d _time 
| stats count first(_time) as Date by USER 
| join Date,USER  [search index=charlesriver sourcetype=CrdApp_Users 
   | bucket span=1d _time 
   | stats count first(_time) as Date by USER_NAME
   | table USER_NAME,Date|rename USER_NAME as USER |eval filter=1]
|where NOT filter=1 | fields - filter
0 Karma
Reply

somesoni2
Revered Legend
‎11-12-2013 08:09 AM

Can you try like this (added Date field in subsearch)

index=charlesriver sourcetype=CrdApp_Events EVENT=LOGIN | bucket span=1d _time | stats count first(_time) as Date by USER |search NOT [search index=charlesriver sourcetype=CrdApp_Users | bucket span=1d _time | stats count first(_time) as Date by USER_NAME| table Date,USER_NAME|rename USER_NAME as USER]

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...