Splunk Search

Unable to join two search with common field, however sub-search works

jagdeepgupta813
Explorer

HI All,

Please help me to debug the issue to join two searches based on common field.
I have two indexes which has values which can be matched and I want to get field_1, field_2 from first_access_log and field_3 and field_4 from node_access logs.

first_access_logs has one trackingId which has one part , we call that nodeTrackingId
node_access_log has node tracking id but that is defined in the src_ip field.

if I use the inner search to combine two results, the query works but I do not get fields from both search in the final output but only the field from node_access_logs

index=node_access_logs "search/api/another?value=&id"   
[ search  index=first_access_logs emp_id=472421 "14616113" "POST" "search/api/values"  
| rex field=tracking_id ":(?<nodeTrackingId>.+)"    
| rename nodeTrackingId as src_ip| fields src_ip 
] 

However, when I use this as join query ( I tried by removing type=inner as well from the command ) it does not return any result

index=first_access_logs emp_id=472421 "14616113" "POST" "search/api/values" 
| rex field=tracking_id ":(?<nodeTrackingId>.+)"    
| join type="inner" nodeTrackingId 
[ search index=node_access_logs "search/api/another?value=&id"  
| rename src_ip as nodeTrackingId 
] | table field_1,field_2, field_3, field_4
0 Karma

dindu
Contributor

Hi,

Could you please try the below search .

   index=first_access_logs emp_id=472421 "14616113" "POST" "search/api/values" 
  | rex field=tracking_id ":(?<nodeTrackingId>.+)"    
  | join type="inner" nodeTrackingId max=0
  [ search index=node_access_logs "search/api/another?value=&id"  
  | rename src_ip as nodeTrackingId
  |fields nodeTrackingId,*  ] 
  | table field_1,field_2, field_3, field_4
0 Karma

jagdeepgupta813
Explorer

Thanks Dindu for replying, I tried using the changes your suggested :

adding type="inner" and max=0
keeping the common field from the outer search ( nodeTrackingId) and rename the src_ip field from other search and also select all fields in the along with nodeTrackingId in the search in brackets

but this did not change the result

0 Karma

to4kawa
Ultra Champion

what's field_1,field_2, field_3, field_4
nodeTrackingId src_ip is not any field_X?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...