Splunk Search
Highlighted

Unable to join two search with common field, however sub-search works

HI All,

Please help me to debug the issue to join two searches based on common field.
I have two indexes which has values which can be matched and I want to get field1, field2 from firstaccesslog and field3 and field4 from node_access logs.

firstaccesslogs has one trackingId which has one part , we call that nodeTrackingId
nodeaccesslog has node tracking id but that is defined in the src_ip field.

if I use the inner search to combine two results, the query works but I do not get fields from both search in the final output but only the field from nodeaccesslogs

index=node_access_logs "search/api/another?value=&id"   
[ search  index=first_access_logs emp_id=472421 "14616113" "POST" "search/api/values"  
| rex field=tracking_id ":(?<nodeTrackingId>.+)"    
| rename nodeTrackingId as src_ip| fields src_ip 
] 

However, when I use this as join query ( I tried by removing type=inner as well from the command ) it does not return any result

index=first_access_logs emp_id=472421 "14616113" "POST" "search/api/values" 
| rex field=tracking_id ":(?<nodeTrackingId>.+)"    
| join type="inner" nodeTrackingId 
[ search index=node_access_logs "search/api/another?value=&id"  
| rename src_ip as nodeTrackingId 
] | table field_1,field_2, field_3, field_4
0 Karma
Highlighted

Re: Unable to join two search with common field, however sub-search works

Ultra Champion

what's field1,field2, field3, field4
nodeTrackingId src_ip is not any field_X?

0 Karma
Highlighted

Re: Unable to join two search with common field, however sub-search works

Contributor

Hi,

Could you please try the below search .

   index=first_access_logs emp_id=472421 "14616113" "POST" "search/api/values" 
  | rex field=tracking_id ":(?<nodeTrackingId>.+)"    
  | join type="inner" nodeTrackingId max=0
  [ search index=node_access_logs "search/api/another?value=&id"  
  | rename src_ip as nodeTrackingId
  |fields nodeTrackingId,*  ] 
  | table field_1,field_2, field_3, field_4
0 Karma
Highlighted

Re: Unable to join two search with common field, however sub-search works

Thanks Dindu for replying, I tried using the changes your suggested :

adding type="inner" and max=0
keeping the common field from the outer search ( nodeTrackingId) and rename the src_ip field from other search and also select all fields in the along with nodeTrackingId in the search in brackets

but this did not change the result

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.