I have 2 searches which I appended and I am trying to search based on a matching session ID (to find details of a remote session). For some reason the values are not matching and returns 0 results. However, when I manually type in the session it works correctly.
One more question, there are 2 rows that come up since I am appending searches. How can I combine both rows into one?
Here is my query. . . first query is bolded for readability as well as tail end that apply to both searches.
sourcetype=uag user=bigrichie90 action=added | eval sessionAdded=session | head 1
| append [search sourcetype=uag user=bigrichie90 action=removed | eval sessionRemoved=session |head 1 ]
| where sessionAdded==sessionRemoved
Use "join" command like so:
sourcetype=uag user=bigrichie90 action=added | eval sessionAdded=session | head 1
| join session [search sourcetype=uag user=bigrichie90 action=removed | eval sessionRemoved=session |head 1 ]
| where sessionAdded==sessionRemoved
Since you can specify the exact field to join on, you don't even need the eval statements. The following statement should do just fine.
sourcetype=uag user=bigrichie90 action=added | join session [search sourcetype=uag user=bigrichie90 action=removed ]
For more information: http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Join
Yes, It is expensive. You could try using transaction, like so:
sourcetype=uag user=bigrichie90 | transaction session
If you need more information on event grouping and correlation:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Search/Abouteventcorrelation
Also, this flowchart when in doubt! 🙂
http://docs.splunk.com/File:Search_event_grouping_flowchart.png
Thanks for the flowchart link - this will come in handy!
Wouldn't join impact performance? I was trying to stay away from joining.