Splunk Search

How to map an matching result from 1 query to another

saimack
New Member

Please help me in this query.
--I have a query which produces result like
uid user ip
1001 xyz 1.1.1.1
1002 abc 1.1.1.1
--another query which returns
ip logintime loginLength
xyz 10:00 180
abc 15:00 280

=>how can i combine the result like
uid loginlength
1001 180
1002 280

Thanks !

Tags (1)
0 Karma

raghu_vedic
Path Finder

first get the first query data i.e uid and user as index=your_index_name | stats count by uid user
then map it with second query as | map search="search index=your_index_name
ip=$user$
and then display as | stats first(loginLength) as $uid$

final query is
***index=your_index_name | stats count by uid user
| map search="search index=your_index_name
ip=$user$ | stats first(loginLength) as $uid$
* | transpose"**

0 Karma

jplumsdaine22
Influencer

It would be a great help if you posted your searches. Also check out this handy guide on event correlation:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Search/Abouteventcorrelation

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Without knowing your searches, the suggestion would be this

your first search giving uid, user, ip | append [ your second search  giving ip logintime loginLength ]  | stats values(loginLength) as loginLenght by uid

There may be an option to avoid subsearch, but we can see unless we see your actual searches.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...