I have two Splunk queries which are working independently but I want to join the two queries and get result at one go. Can you please advise how to do so.
Query1 : index=test AND "Test String 1" | rex "Test@(?<**SessionId**>[^<]+)" | table **SessionId**
Query 2 : index=test **SessionId** "Test String 2" | rex " <ns1:IDNO>(?<IDNO>[^<]+)" | table IDNO
Logs for Query1 :
sdaasasdsad Test String1 dasdsad Test@12345
sdaasasdsad Test String1 dasdsad Test@123456
Logs for Query2 :
Test@12345 123
Test@123456 1234
I want to fetch IDNO for all Session Id's in last 24 hours.
I have tried with below query but its not working :
index=test SessionId "Test String 2" |rex " <ns1:IDNO>(?<IDNO>[^<]+)" | table IDNO| join SessionId [search index=test AND "Test String 1" | rex "Test@(?[^<]+)" | table SessionId]
... View more