Dears, Need assistance with a Splunk query to retrieve data from two sources: source X and source Y. I want to match records where child_file_id in source Y matches file_id in source X and retrieve the combined data. How can I achieve this? So, in my source X, specifically Stealer_* there are records, each of which includes a file_id, which is illustrated as 3382 in my example. So, when I search for file_id, I find 6 events, all structured similarly but with different values, all sharing the same file_id. In another source, I have data related to source X. To establish connections between them, I use child_file_id as a relational identifier, similar to a database key. As depicted in the screenshot below, you can see that the child_file_id corresponds to the same file_id in the first source." How can I construct a Splunk query to achieve this? Specifically, I want to retrieve the entire result set in a single query and table. In this query, the data from source 2 (child_file_id) should be duplicated in each event from the first source, creating a unified result. Final output something like this srouce_field1,srouce_field1,srouce_field1,srouce_field1,srouce_field1,srouce_field2,srouce_field2 BR.
... View more
