One big problem is that right before your join you are doing fields correlation_id and thus throwing away all fields except for correlation_id. This will allow your join to work but all other subsequent search commands will lose the fields they expect (eg req_host, client, FIELDNAME) . Take that fields clause out. In general you don't have to worry about Splunk extracting and preserving too many fields. In fact the search parser does the opposite and optimizes the fields extracted and preserved, down to just fields named in the search string.
index="index" tag=tag1 sourcetype=access_combined "def"|rex "(?i)/user/(?P<FIELDNAME>[^/]+)"| bucket span=1d _time |stats count by FIELDNAME _time|where count<30 AND count>20 |join correlation_id[search index="index" tag=tag2 sourcetype=access_combined "hello"] | rex field=req_host "^(?<client>[^.]*)" | bucket span=1d _time |stats count by client FIELDNAME _time | sort - _time count|dedup 3 client
However I also strongly recommend using stats instead of join. You should absolutely avoid join for this, and it's a bread and butter case for the use of stats.
I think the reason wpreston's search doesn't work for you is that your stats needs to group by correlation_id. You want something more like this:
index="index" sourcetype=access_combined (tag=tag1 "def") OR (tag=tag2 "hello")
| rex "(?i)/user/(?P<FIELDNAME>[^/]+)"
| rex field=req_host "^(?<client>[^.]*)"
| stats values(FIELDNAME) as FIELDNAME values(req_host) as req_host) values(client) as client last(_time) as _time by correlation_id
| bucket span=1d _time
| stats count by FIELDNAME _time
|where count<30 AND count>20
|stats count by client FIELDNAME _time
| sort - _time count
|dedup 3 client
One other note - the rows coming into your second stats command already have a count field, so you may want sum(count) as count instead of just another count . Depends what you want to count of course, but I'd make sure you're clear on what you're getting.
... View more
