- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Unable to join two search with common field, h...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unable to join two search with common field, however sub-search works
HI All,
Please help me to debug the issue to join two searches based on common field.
I have two indexes which has values which can be matched and I want to get field_1, field_2 from first_access_log and field_3 and field_4 from node_access logs.
first_access_logs has one trackingId which has one part , we call that nodeTrackingId
node_access_log has node tracking id but that is defined in the src_ip field.
if I use the inner search to combine two results, the query works but I do not get fields from both search in the final output but only the field from node_access_logs
index=node_access_logs "search/api/another?value=&id"
[ search index=first_access_logs emp_id=472421 "14616113" "POST" "search/api/values"
| rex field=tracking_id ":(?<nodeTrackingId>.+)"
| rename nodeTrackingId as src_ip| fields src_ip
]
However, when I use this as join query ( I tried by removing type=inner as well from the command ) it does not return any result
index=first_access_logs emp_id=472421 "14616113" "POST" "search/api/values"
| rex field=tracking_id ":(?<nodeTrackingId>.+)"
| join type="inner" nodeTrackingId
[ search index=node_access_logs "search/api/another?value=&id"
| rename src_ip as nodeTrackingId
] | table field_1,field_2, field_3, field_4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Could you please try the below search .
index=first_access_logs emp_id=472421 "14616113" "POST" "search/api/values"
| rex field=tracking_id ":(?<nodeTrackingId>.+)"
| join type="inner" nodeTrackingId max=0
[ search index=node_access_logs "search/api/another?value=&id"
| rename src_ip as nodeTrackingId
|fields nodeTrackingId,* ]
| table field_1,field_2, field_3, field_4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Dindu for replying, I tried using the changes your suggested :
adding type="inner" and max=0
keeping the common field from the outer search ( nodeTrackingId) and rename the src_ip field from other search and also select all fields in the along with nodeTrackingId in the search in brackets
but this did not change the result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what's field_1,field_2, field_3, field_4
nodeTrackingId src_ip is not any field_X?
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
