×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
BigJohnQ
New Member
Member since: ‎04-08-2024
‎04-08-2024
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-08-2024
Activity Feed
View All

How to find matching data from two indexes

by in Splunk Search
‎04-08-2024 02:37 PM
‎04-08-2024 02:37 PM
Hi all, thank in advance for your time! I have a problem writing a properly working query with this case study: I need to take data from index=email1 to find matching data from index=email2. I tried to do it this way: from index=email1 I take the fields src_user and recipient and use the appropriate search to look for it in the email2 index. Query examples that I used: index=email1 sourcetype=my_sourcetype source_user=* [ search index=email2 sourcetype=my_sourcetype source_user=* | fields source_user ] OR index=email1 sourcetype=my_sourcetype | join src_user, recipient [search index=emai2 *filters*] Everything looked OK in the control sample (I found events in a 10-minute window, e.g. 06:00-06:10), which at first glance matched, but when I extended the search time, e.g. to 24h, it did not show me any events, even those that matched in a short time window (even though they were in these 24 hours). Thank you for any ideas or solutions for this case. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-08-2024 07:18 PM