I have a query that goes into an index and filter a particular type of events of interest using stats and returns something like:
search Event_Class = EVENT_TYPE_1
The results get pipped into | stats count as Stats1 dc as Stats2 avg(data) as Stats3 by Hostname . String_Field_One, Numeric_Field_One, Dest_IP
This results into something like:
Hostname String _Field_One Numeric_Field_One Dest_IP Stats1 Stats2 Stats3
now the challenge. I would like to use Hostname, String_Field_One to "lookup" against data from a separate query, resulting in an additional field being added to the results of the original data.
search Event_Class = EVENT_TYPE_1 HostName=<value_from_hostname_would_go_here> AND String_Field_One=<value_from_String_Field_One_should_go_here> AND Numeric_Field_One=<value_from_numeric_field_one_would_go_here> | head 1 | table String_Field_That_I_Want_To_Join
Can Splunk do this?
I had a look on those, however subsearches seem to behave more like SQL's UNION or Sub-SELECT statements than a proper lookup. They are just not powerful enough (or incredibly poorly documented)...