Re: How to combine 2 searches with same value and ...

Allene139 · ‎04-11-2022

I have 2 searches and I want to link 2 together in one table.

The first search:

index=very_big_index caseNumber=1234567799

| table _time Name caseNumber UID phone.

This displays the following as expected, but the phone field is blank:

_time	Name	caseNumber	UID	phone
11APR2022	John Smith	1234567799	111222333444555666777

The second search with the UID yields the phone number but nothing else:

index=very_big_index 111222333444555666777
| stats values(phone) as phone

results:

phone

123-555-1234

How can I efficiently link these 2 searches together using the common field name/value of UID/111222333444555666777

Stefanie · ‎04-12-2022

In your first search,

index=very_big_index caseNumber=1234567799

| table _time Name caseNumber UID phone

Is phone blank because the value should be "phone_number"?

Does this search not return your results?

index=very_big_index caseNumber=1234567799

| table _time Name caseNumber UID phone_number

Allene139 · ‎04-12-2022

Apologies for the confusion. The name of the field is "phone." But I used "phone_number" when I was sanitizing the data for this post. I fixed the post. Thank you

Allene139 · ‎04-12-2022

That didn't work. The phone number field is blank. But thank you.

blbr123 · ‎04-11-2022

index=very_big_index caseNumber=1234567799 111222333444555666777 | stats values(phone_number) as phone by _time Name caseNumber UID

How to combine 2 searches with same value and field name.

join

subsearch

transaction

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!