Use result of set intersect for another command

catalinberbece · ‎07-13-2018

Hello,

I am trying to use the result of an intersect to further search in one of the indexes.
| set intersect
[search index=A something...
|table IP]
[search index=B something...
| table IP]
///at this point I have a table of common IPs between the two indexes. Now I want to add to that table another field which is only present in the index=B, so the final result will look like:

IP                      Description
x.x.x.x                  something1
y.y.y.y                  something2

Both IP and Description are extracted fields.

catalinberbece · ‎07-13-2018

I've just tried both solutions but neither works. I want to mention that for one index the IP is named "clientIP" while for the other index is named "IP_ADDRESS". Also, the description field is present only on the index where IP is named "clientIP".

renjith_nair · ‎07-13-2018

Updated the answer, please try and lets know

Happy Splunking!

renjith_nair · ‎07-13-2018

Hi @catalinberbece,

Try this,
EDITED as per the new requirement.

(index=A OR index=B) |rename IP_ADDRESS as clientIP |stats dc(index) as dcIndex, values(Description) as Description by clientIP|where dcIndex >1

Happy Splunking!

somesoni2 · ‎07-13-2018

Try this

index=B [search index=A something...
|table IP]
|  table IP Description

Use result of set intersect for another command

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life