Splunk Search

How to list out the common user(users is a field) in 2 different searches?

pavanae
Builder

search1 displays :-

user field1 field2 field3 field4
A
B
C
D

Search2 displays :-

user field3 field4
B
C
D
E

Now both the searches has a common field user. Is there any way that I can display the user list who were in both the search 1 and search 2 something like as below

user
B
C
D

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi pavanae,
try something like this

(your_search1) OR (yoursearch2) | eval user=lower(user) | dedup user | table user

Bye.
Giuseppe

View solution in original post

0 Karma

woodcock
Esteemed Legend

The accepted solution does NOT do as you indicated (it does a full join, not an inner join). Do an inner-join like this:

 (your_search1) OR (yoursearch2) | eval user=lower(user) | stats dc(sourcetype) AS sourcetypes values(*) AS * by user | where  sourcetypes=2 | table user
0 Karma

sundareshr
Legend

Try this

(index=idx1 sourcetype=st1) OR (index=idx2 sourcetype=st2) | eval user=lower(user) | eventstats dc(sourcetype) as st by user | where st=2 | rest of your query here.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi pavanae,
try something like this

(your_search1) OR (yoursearch2) | eval user=lower(user) | dedup user | table user

Bye.
Giuseppe

0 Karma

woodcock
Esteemed Legend

This does full join, not inner join; see my answer.

0 Karma

Raschko
Communicator

You can "join" both searches:

yoursearch1 | fields user | join type=inner user [ yoursearch2 | fields user]
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...