Splunk Search

Unable to join two search with common field, however sub-search works

jagdeepgupta813
Explorer

HI All,

Please help me to debug the issue to join two searches based on common field.
I have two indexes which has values which can be matched and I want to get field_1, field_2 from first_access_log and field_3 and field_4 from node_access logs.

first_access_logs has one trackingId which has one part , we call that nodeTrackingId
node_access_log has node tracking id but that is defined in the src_ip field.

if I use the inner search to combine two results, the query works but I do not get fields from both search in the final output but only the field from node_access_logs

index=node_access_logs "search/api/another?value=&id"   
[ search  index=first_access_logs emp_id=472421 "14616113" "POST" "search/api/values"  
| rex field=tracking_id ":(?<nodeTrackingId>.+)"    
| rename nodeTrackingId as src_ip| fields src_ip 
] 

However, when I use this as join query ( I tried by removing type=inner as well from the command ) it does not return any result

index=first_access_logs emp_id=472421 "14616113" "POST" "search/api/values" 
| rex field=tracking_id ":(?<nodeTrackingId>.+)"    
| join type="inner" nodeTrackingId 
[ search index=node_access_logs "search/api/another?value=&id"  
| rename src_ip as nodeTrackingId 
] | table field_1,field_2, field_3, field_4
0 Karma

dindu
Contributor

Hi,

Could you please try the below search .

   index=first_access_logs emp_id=472421 "14616113" "POST" "search/api/values" 
  | rex field=tracking_id ":(?<nodeTrackingId>.+)"    
  | join type="inner" nodeTrackingId max=0
  [ search index=node_access_logs "search/api/another?value=&id"  
  | rename src_ip as nodeTrackingId
  |fields nodeTrackingId,*  ] 
  | table field_1,field_2, field_3, field_4
0 Karma

jagdeepgupta813
Explorer

Thanks Dindu for replying, I tried using the changes your suggested :

adding type="inner" and max=0
keeping the common field from the outer search ( nodeTrackingId) and rename the src_ip field from other search and also select all fields in the along with nodeTrackingId in the search in brackets

but this did not change the result

0 Karma

to4kawa
Ultra Champion

what's field_1,field_2, field_3, field_4
nodeTrackingId src_ip is not any field_X?

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...