I have 3 different searches I need to combine, where the secondary and tertiary searches need to be joined, and then the results of those searches need to be joined to another search. I've got the secondary and tertiary joined together, but am now trying to figure out how to do it so I can join their results to the main search I need to query the results of the other two against.
Here's what I have so far: (the two queries where I have to combine the results)
index=index1 search_name=search1
| eval field1=otherfield
| eval Starting_date = strftime(Startingdate, "%Y-%m-%d %H:%M:%S")
| join type=outer field2 [dbxquery connection=DB shortnames=t query="select * from Table where Column1 = 4 and Column2 = 3" | eval field2 = substr(Name,5, len(Name)-11) | eval NewDate = Date | table field2, NewDate | fields field2, NewDate]
| eval NewDateepoch = strptime(NewDate, "%Y-%m-%d %H:%M:%S")
| dedup field2, field1, Startingdate
| eval NewDateepoch = if(isnull(NewDateepoch), 0, NewDateepoch)
| eval Startingdate = if(isnull(Starting_date), 0, Startingdate)
| eval LatestTime = if(NewDateepoch>Startingdate, NewDateepoch, Startingdate)
| eval LatestTime = strftime(LatestTime, "%Y-%m-%d %H:%M:%S")
| table field2, field1, NewDate, Starting_date, LatestTime
I need to combine the results of this with another search where I will only match on field1
This is my first Splunk project, so I'm really new with all of this. Any insight anyone could provide would be greatly appreciated.
Thank you,
Ryan
... View more