Solved: How to list out the common user(users is a field) ...

pavanae · ‎11-24-2016

search1 displays :-

user field1 field2 field3 field4
A
B
C
D

Search2 displays :-

user field3 field4
B
C
D
E

Now both the searches has a common field user. Is there any way that I can display the user list who were in both the search 1 and search 2 something like as below

user
B
C
D

gcusello · ‎11-24-2016

Hi pavanae,
try something like this

(your_search1) OR (yoursearch2) | eval user=lower(user) | dedup user | table user

Bye.
Giuseppe

View solution in original post

woodcock · ‎12-05-2016

The accepted solution does NOT do as you indicated (it does a full join, not an inner join). Do an inner-join like this:

 (your_search1) OR (yoursearch2) | eval user=lower(user) | stats dc(sourcetype) AS sourcetypes values(*) AS * by user | where  sourcetypes=2 | table user

sundareshr · ‎11-25-2016

Try this

(index=idx1 sourcetype=st1) OR (index=idx2 sourcetype=st2) | eval user=lower(user) | eventstats dc(sourcetype) as st by user | where st=2 | rest of your query here.

gcusello · ‎11-24-2016

Hi pavanae,
try something like this

(your_search1) OR (yoursearch2) | eval user=lower(user) | dedup user | table user

Bye.
Giuseppe

woodcock · ‎12-05-2016

This does full join, not inner join; see my answer.

Raschko · ‎11-24-2016

You can "join" both searches:

yoursearch1 | fields user | join type=inner user [ yoursearch2 | fields user]

How to list out the common user(users is a field) in 2 different searches?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor