Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to join two queries with a common field?

Shashank_87
Explorer
‎07-11-2018 09:09 AM

Hi, I have 2 searches which i need to join using a common field let's say uniqueId. Now in my 1st search I have a username and in the 2nd search I see if the user goes through that request.
I want to display the user names who does not triggers any request in the 2nd search.
Please note both are different indexes. I am just looking for which user names the request has not been triggered.
I have used join and combined the queries where I am getting the common results but I want to display the uncommon results.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-11-2018 09:29 AM

Hi @Shashank_87,

You could do it by using NOT in subsearch 

index=index1 source=xxx  |search NOT [index=index2 "other search terms" |fields user_field]

https://docs.splunk.com/Documentation/Splunk/7.1.1/Search/Usesubsearchtocorrelateevents

Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎07-11-2018 02:33 PM

an efficient way is to do a search looking at both indexes, and look for the events with the same values for uniqueId

 uniqueId=* (index=index1 OR index=index2) 
 | stats dc(index) AS distinctindexes values(index) values(username) AS username  by uniqueId 
 | where distinctindexes>1
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-11-2018 09:29 AM

Hi @Shashank_87,

You could do it by using NOT in subsearch 

index=index1 source=xxx  |search NOT [index=index2 "other search terms" |fields user_field]

https://docs.splunk.com/Documentation/Splunk/7.1.1/Search/Usesubsearchtocorrelateevents

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

Shashank_87
Explorer
‎07-11-2018 09:50 AM

This doesn't work. I have a common field with same values but different name in the 2 different indexes. I am able to group them together. But what I am really looking for is the username which is in 1st index does not have any event in 2nd index. I want a table or something for those users.
This is my current search which gives me the common events. I want the uncommon one's -

index=test1 "any search string"
| join uniqueId
[ search index=test2 "any search string"
| rename CustomerId as uniqueId]
| table username uniqueId

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎07-11-2018 09:35 PM

What are you getting when you execute with NOT, because NOT will remove the events which have "user" in second index

Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...