Re: How to map an matching result from 1 query to ...

saimack · ‎02-14-2016

Please help me in this query.
--I have a query which produces result like
uid user ip
1001 xyz 1.1.1.1
1002 abc 1.1.1.1
--another query which returns
ip logintime loginLength
xyz 10:00 180
abc 15:00 280

=>how can i combine the result like
uid loginlength
1001 180
1002 280

Thanks !

raghu_vedic · ‎03-25-2016

first get the first query data i.e uid and user as index=your_index_name | stats count by uid user
then map it with second query as | map search="search index=your_index_name
ip=$user$ and then display as | stats first(loginLength) as $uid$

final query is
***index=your_index_name | stats count by uid user
| map search="search index=your_index_name
ip=$user$ | stats first(loginLength) as $uid$* | transpose"**

jplumsdaine22 · ‎02-15-2016

It would be a great help if you posted your searches. Also check out this handy guide on event correlation:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Search/Abouteventcorrelation

somesoni2 · ‎02-15-2016

Without knowing your searches, the suggestion would be this

your first search giving uid, user, ip | append [ your second search  giving ip logintime loginLength ]  | stats values(loginLength) as loginLenght by uid

There may be an option to avoid subsearch, but we can see unless we see your actual searches.

How to map an matching result from 1 query to another

Your Guide to SPL2 at .conf24!

Get ready to show some Splunk Certification swagger at .conf24!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...