Join fields from 2 searches without join

jtg1703 · ‎10-24-2019

Hi, I need some help with a little issue, I have 2 sorcetypes like this:

SOURCETYPE A:

SOURCETYPE B:

ID_1 |ISSUE
1 |A
1 |B
1 |B
3 |B
4 |C

I try to find how many ID's have a issue B, the result be like this:

RED 2
GREEN 1

Currently my search use join clause, but it's very slow and i try to find the better way to do this,

someone could help me?
Regards,
J

aberkow · ‎10-24-2019

You can definitely use the suggestion above about creating a lookup, and then using the lookup command like this:

| lookup csvName.csv ID_1 OUTPUT ISSUE, and then you can run aggregations on that ISSUE field (the ID_1 is the joining field)

You can use a stats command as well, but it's a bit difficult to understand what is the most ideal given the data you've given and you'd have to do a bit more fanciness with the fields. If you're just looking for instances of B, you can filter your second sourcetype to that in the base search and then run a command like this:

base search filtering to only B logs | stats count(ISSUE) as issueCount, values(DESCRIPTION) as description by ID_1

Let me know if this is helpful/you have any other questions

tiagofbmm · ‎10-24-2019

Seems you have material to build a static lookup. Your sourcetype A that has the description can be outputed to a lookups that you can use to enrich your stats on sourcetype B

Join fields from 2 searches without join

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?