Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use the Where clause in my search?

vnguyen46
Contributor
‎04-30-2019 09:11 AM

I have index A with fields: username, field1, field2
I have main:sourcetype B with fields: userid, fullname

Trying to search for: username, field1, field2 WHERE username = userid
Any ideas will help.
Thanks,

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aholzer
Motivator
‎04-30-2019 09:42 AM

you can use a subsearch to limit the results to those that have a match from your secondary information source.

index=A [| search index=main sourcetype=B | fields userid | rename userid AS username]

This will return only results from index=A where the username is in the list of userid's from index=main sourcetype=B.

Warning: subsearches have a 10k limit in terms of results that can be returned, so if you have more than 10k results in your secondary information source this will not work

Hope this helps

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

aholzer
Motivator
‎04-30-2019 09:42 AM

you can use a subsearch to limit the results to those that have a match from your secondary information source.

index=A [| search index=main sourcetype=B | fields userid | rename userid AS username]

This will return only results from index=A where the username is in the list of userid's from index=main sourcetype=B.

Warning: subsearches have a 10k limit in terms of results that can be returned, so if you have more than 10k results in your secondary information source this will not work

Hope this helps

0 Karma
Reply
Solved! Jump to solution

vnguyen46
Contributor
‎04-30-2019 12:26 PM

It works well. My index main <2000 records.
Thank you.

0 Karma
Reply
Solved! Jump to solution

vnguyen46
Contributor
‎04-30-2019 09:34 AM

The key is "userid" in a different index/sourcetype. I meant looking for records in index A for only userid in index/sourcetype B.
index=A OR sourcetype=B
...somewhere I need to add A.username=B.userid
that means only userid in soucetype B will display

0 Karma
Reply
Solved! Jump to solution

burwell
SplunkTrust
SplunkTrust
‎04-30-2019 09:13 AM

If you just want to search for a field having a value in the first part of the search leave off the WHERE

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...