- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search for value of FieldA, then search FieldB, Ma...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search for value of FieldA, then search FieldB, Match if contains $FieldA, then pull field_C from event with match.
I want to do a search for field_A in index_A. The value of field_A contains a URL minus any http(s), or query terms. I then want to use the value of field_A and search field_B from index_B for values containing it. If field_B contains field_A I want splunk to pull the value of field_C from index_B within the same event/log entry.
I have tried a few different iterations of the search but cannot seem to get the value from field_A to carry as a search term for field_B. I have read many different answer pages, and wikis. I thought I was on the right track with return, or fields commands but I am stuck.
"
earliest =-7d index=index_A sourcetype=source_A field_A=* | fields field_A | dedup field_A | eval = result [ search earliest=-7d index=index_B sourcetype=source_B field_B=<$field_A> ] | fields field_B
"
This one above is a simplified attempt, it does not work but I hope it shows the order I am trying to do things in. index_B is quite large so I want to search index_A first.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The join command might be useful here.
earliest =-7d index=index_A sourcetype=source_B field_B=* | fields field_B,field_C | join type=inner field_B [ search earliest=-7d index=index_A sourcetype=source_A | fields field_A | dedup field_A | rename field_A as field_B ] | fields field_B,field_C
If I understood the question correctly, then an inner join on the larger table B with table A would give the required output.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the quick answer ramdaspr.
Im wondering why we are searching index_a for sourcetype_b which is not in that index. Does the JOIN statement take care of this?
I will test it when I get an opportunity and let you know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My bad, it should be index_B at the start. Basically keep the larger index outside of the subsearch.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is there a way we can get the count of main search before join and the final count after performing the join?
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
