Re: Use result of set intersect for another comman...

catalinberbece · ‎07-13-2018

Hello,

I am trying to use the result of an intersect to further search in one of the indexes.
| set intersect
[search index=A something...
|table IP]
[search index=B something...
| table IP]
///at this point I have a table of common IPs between the two indexes. Now I want to add to that table another field which is only present in the index=B, so the final result will look like:

IP                      Description
x.x.x.x                  something1
y.y.y.y                  something2

Both IP and Description are extracted fields.

catalinberbece · ‎07-13-2018

I've just tried both solutions but neither works. I want to mention that for one index the IP is named "clientIP" while for the other index is named "IP_ADDRESS". Also, the description field is present only on the index where IP is named "clientIP".

renjith_nair · ‎07-13-2018

Updated the answer, please try and lets know

---
What goes around comes around. If it helps, hit it with Karma 🙂

renjith_nair · ‎07-13-2018

Hi @catalinberbece,

Try this,
EDITED as per the new requirement.

(index=A OR index=B) |rename IP_ADDRESS as clientIP |stats dc(index) as dcIndex, values(Description) as Description by clientIP|where dcIndex >1

---
What goes around comes around. If it helps, hit it with Karma 🙂

somesoni2 · ‎07-13-2018

Try this

index=B [search index=A something...
|table IP]
|  table IP Description

Use result of set intersect for another command

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!