What I do is a join between the two tables on user_id. Tags: eventstats. combine two search in a one table indeed_2000. Problem is, searches can be joined only on a field, but I want to pass a condition to it. Solution. Splunk ® Enterprise Search Manual Types of searches Download topic as PDF Types of searches As you search, you will begin to recognize patterns and identify more. You're essentially combining the results of two searches on some common field between the two data COVID-19 Response SplunkBase Developers Documentation@jnudell_2 , thank you so much! It works after reverse this 2 searches. Please check the comment section of the questionboth the above queries work individually but when joined as below. . |inputlookup COVID-19 Response SplunkBase Developers Documentation BrowseHi, I hope you're at 6. Try to avoid the join command since it does not perform well. 344 PM p1 sp12 5/13/13 12:11:45. | mvexpand. log group=per_index_thruput earliest=-4h | stats sum (kb) as kb by series | rename series as index ] | table index sourcetype kb. COVID-19 Response SplunkBase Developers Documentation. Description: The traditional join command joins the results from the main results pipeline with the search pipeline results provided as the last argument. You can join on as many fields as you want But doing it on latest , in your example, is probably not what you really mean - though it may be What are COVID-19 Response SplunkBase Developers DocumentationMy search 1 gives the page load time (response_time) of the requested content but it doesn't tell you if it was logged out page or logged in page. splunk-enterprise. index="pan_logs" dns sourcetype="pan:threat" dest_zone=External dest_port=53 vendor_action=sinkhole (action=dropped OR. I want to join two indexes and get a result. Failed logins for all users (more or equal to 5). Join two Splunk queries without predefined fields. The following are examples for using the SPL2 union command. . Where the command is run. Subsearches are enclosed in square brackets [] and are always executed first. The issue is the second tstats gets updated with a token and the whole search will re-run. Learn how to use the join command in Splunk to bring together two matching fields from two different indexes. Below a simple example: sourcetype_A s1_field1 = Purchase OK s1_field2 = 9 s1_field3 = tax value s1_field4 = Completed sourcetype_B s2_field1 = 9 s2_field2 = Rome. ” This tells Splunk platform to find any event that contains either word. So I attached new screenshot with 2 single search results, hopes it can help to make the problem clea. method, so the table will be: ul-ctx-head-span-id | ul-log. BrowseCOVID-19 Response SplunkBase Developers Documentation. In your case you will just have the third search with two searches appended together to set the tokens. I am new to splunk and struggling to join two searches based on conditions . If I interpret your events correctly, this query should do the job. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. Without it, Splunk will only read your default indexes (if you have any defined), which may not contain the data you seek. Try to avoid the join command since it does not perform well. Event 1 is data related to sudo authentication success logs which host and user name data . 1. Splunk: Trying to join two searches so I can create delimters and format as a. Index name is same. You also want to change the original stats output to be closer to the illustrated mail search. Browsea splunk join works a lot like a sql join. Turn on suggestions. But if the search Query 2 LogonIP<20 then, I want to join the result with Query 1 and get the result. 17 - 8. 30 138 (60 + 78) Can i calculate sum for eve. . Jun 22 COVID-19 Response SplunkBase Developers DocumentationI think I understand now. You can also combine a search result set to itself using the selfjoin command. But this discussion doesn't have a solution. The left-side dataset is the set of results from a search that is piped into the join command. The information in externalId and _id are the same. Using Splunk: Splunk Search: Join two searches together and create a table; Options. Join Now! Splunk Monthly Customer Advisory Boards! Dungeons & Data Monsters: 3. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. The 'allrequired=f' flag also allows you to concatenate the fields that exist and ignore those that don't. splunk-enterprise. I know that this is a really poor solution, but I find joins and time related operations quite. second search. e. I have the following two events from the same index (VPN). 0をベースに記載; subsearches (join, append, inputlookupの組み合わせ利用) デフォルトのイベント件数の制限 サブサーチの結果は10,000件まで!I ended up running a daily search, like below (checks the entire keystore for the latest date within 30days and does a stats count). I need to use o365 logs only is that possible with the criteria. index 1 contains a list of domains and event_timestamp, index 2 contains a description for every domain. (| table host DisplayName DisplayVersion DesktopGroupName) host = MachineName, that fields contains same values, in same format. 30 t2 some-hits ipaddress hits time 20. Example Search A X 1 Y 2 . But I don't know how to process your command with other filters. You need to illustrate your data (anonymize as needed), explain key data characteristics, illustrate the results,. The join command is a centralized streaming command, which means that rows are processed one by one. index=A product=inA | stats count (UniqueID) as Requests | appendcols [search index=B order="BuyProduct" | stats count (UniqueID) as OrdersPlaced] Check to see whether they have logged on in the last 12 months, In addition add the date on each user row when the account was created/amended. In general is there any way to dynamically manipulate from the main search the time range (earliest latest) that the 2nd search will. The left-side dataset is the set of results from a search that is piped into the join command. Retrieve events from both sources and use stats. I am in need of two rows values with , sum(q. It uses rex to extract fields from the events rather regex , which just filters events. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. type . Hi, thanks for your help. Having high number of results in first search is perfectly fine, but the problem is with second search which is also called sub search. Subscribe to RSS Feed; Mark Topic as New; Mark Topic as Read; Float this Topic for Current User;. 06-28-2011 07:40 PM. P lotting two time-series in a single chart is a question often asked by many of our customers and Answers users. . pid <right-dataset> This joins the source data from the search pipeline. The union command is a generating command. The two searches can be combined into a single search. 06-28-2011 07:40 PM. Let's say my first_search above is "sourcetype=syslog "session. Try append, instead. With this search, I can get several row data with different methods in the field ul-log-data. The primary issue I'm encountering is the limitation imposed. The event time from both searches occurs within 20 seconds of each other. . I also need to find the total hits for all the matched ipaddress and time event. method ------------A-----------|---------------1------------- ------------B. Yes, the data above is not the real data but its just to give an idea how the logs look like. I need to combine both the queries and bring out the common values of the matching field in the result. . yea so when i ran the serach with eventstats no statistics show up in the results. Answers. The query. If you are joining two large datasets, the join command can consume a lot of resources. If I check matches_time, metrics_time fields after stats command, those are blank. BrowserichgallowaySplunkTrust. I dont know if this is causing an issue but there could be4. One of the datasets can be a result set that is then piped into the union command and merged with a second dataset. The following example merges events from incoming search results with an existing dataset. But when i ran it with stats the statistics shows up in theYou don't say what the current results are for the combined query, but perhaps a different approach will work. I need a different way to join two searches rodolfotva. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. Getting charts to do what you want can be a chore, or sometimes seemingly impossible. Sorted by: 1. The command you are looking for is bin. We can join two searches with no command fields by creating a field alias so both the externalid and _id can map per a. | inputlookup Applications. It pulled off a trailing four-quarter earnings surprise of 154. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. You can save it to . Try this! search A| fields userid, action, IP| join client_IP as IP [search b | fields sendername, client_IP] OR There is also a way to use STATS. hai all i am using below search to get enrich a field StatusDescription using. To {}, ExchangeMetaData. When I am passing also the latest in the join then it does not work. 07-21-2021 04:33 AM. Sunday. I have two splunk queries and both have one common field with different values in each query. I can create the lookup for one of the queries and correlate the matching field values in the second query but trying to do without lookup within. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. Hello, I have two searches I'd like to combine into one timechart. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. I have to agree with joelshprentz that your timeranges are somewhat unclear. The event time from both searches occurs within 20 seconds of each other. join command usage. Most of them frequently use two searches – a main search and a subsearch with append – to pull target. eg. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. userid, Table1. Multisearch Union OR boolean operator The most common use of the OR operator is to find multiple values in event data, for example, “foo OR bar. Join two searches and draw them on the same chart baranova. You're essentially combining the results of two searches on some common field between the two data sets. 17 - 8. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. Ref | rename detail. index=_internal earliest=-4h | stats count by index sourcetype | join type=inner index [search index=_internal source=*metrics. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. Join two searches based on a condition. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. Update inputs. csv contains the values of table b with field names C1, C2 and C3 the following does what you want. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the sysmon log. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. Instead, search a will run from -7d@d up to now (search b will use the explicit time range given). action, Table1. If you want to coorelate between both indexes, you can use the search below to get you started. . From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. Here is an example: First result would return for Phase-I project sub-project processed_timestamp p1 sp11 5/12/13 2:10:45. I am writing a splunk query to find out top exceptions that are impacting client. Outer Join (Left) Above example show the structure of the join command works. However, the “OR” operator is also commonly used to combine data from separate sources, e. Hey thanks for answering. I have two splunk queries and both have one common field with different values in each query. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. Reply. Following is a run anywhere example using Splunk's _internal index:DO NOT USE the transaction command; try this: index=process_log AND ((MSGNUM="START-PROCESS" OR MSGNUM="END-PROCESS") ANDHi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. Splunk Platform Products; Splunk Enterprise; Splunk Cloud; Splunk Data Stream Processor; Splunk Data Fabric Search; Splunk Premium Solutions; Security Premium Solutions; IT Ops Premium Solutions; DevOps Premium Solutions; Apps and Add-ons; All Apps and Add-ons; Discussions. Turn on suggestions. I am writing a splunk query to find out top exceptions that are impacting client. 1. argument. Looks like a parsing problem. 1 KB. . The union command appends or merges event from the specified datasets, depending on whether the dataset is streaming or non-streaming and where. What I do is a join between the two tables on user_id. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. Then I try to check if the user displayed has administration rights by appending the subsearch displayed below. Needs some updating probably. Hi, We have two kind of logs for our system: First one logs all the user sessions with user name, src ip, dst ip, and login/logout time. But for simple correlation like this, I'd also avoid using join. Optionally. ”. . left join with field 1 from index2 if field1!=" " otherwise left join with field 2 from index 2. Now i use the second search as as a COVID-19 Response SplunkBase Developers DocumentationIt's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card! Review: SOAR (f. method, so the table will be: ul-ctx-head-span-id | ul-log-data. (index="pan_logs" dns sourcetype="pan:threat" dest_zone=External dest_port=53 vendor_action=sinkhole (action=dropped OR action=blocked)) OR (ind. Please help. e. On the other hand, if the right side contains a limited number of categorical variables-- say zip. You don't say what the current results are for the combined query, but perhaps a different approach will work. | tstats `summariesonly` count FROM datamodel="Web" WHERE index=XXXX sourcetype=XXXXX byYou will need a lookup table…or sub search (not recommended) Created saved search on cron job for search 1 and 2 that populates lookup table. It sounds like you're looking for a subsearch. You can use the union command at the beginning of your search to combine two datasets or later in your search where you can combine the incoming search results with a dataset. index="job_index" middle_name="Foe" | join type=left job_title [search index="job_index" middle_name="Stu"] If there is always one event being used from each dataset then appendcols may perform better. Splunk Search cancel. Community; Community; Splunk Answers. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. This is a run anywhere example of how join can be done. Hi All, I have a scenario to combine the search results from 2 queries. see below: I have two sourcetypes: (index=vulnerability sourcetype=json:id) with the following fields: computername secondaryid id (sourcetype="json:impacts") with the following fields: c_id cw_id bs isThanks Kristian, Is it possible to use transaction on two fields, eg "hosts" & "hosts2" whereby it is the data in both fields which is the same, and it is that which I wish to correlate? Also, Both searches are different indexesI'd like to join two searches and run some stats to group the combined result to see how many users change/update browsers how often. 0 Karma. . This tells the program to find any event that contains either word. 1) index=symantec_sep sourcetype="symantec:ep:scan:file" | dedup dest |table dest | sort dest. So you run the first search roughly as is. This command requires at least two subsearches and allows only streaming operations in each subsearch. d,e,f Solved: I have two searches: search-A gives values like type status hostname id port Size base cache OFF host-1 17 NA NA NA NA ON host-1 6 SplunkBase Developers Documentation Browse Simplicity is derived from reducing the two searches to a single searches. If I just pass only the client_ip everything works fine, but I want to manipulate the time range of the subsearch. Below the eval line:If I have two searches, one generates fields "key A" and "Column A" and the second search generates fields "key B" "Column B" and I want to join them together, keep all keys in "key A" and update the values that exist in key A AND key B with the values in Column B, leaving column A values as a fallb. I want to access its value from inside a case in an eval statement but I get this error: Unknown search command '0'. I have then set the second search. I want to do a join of two searches that have a common field ID and time, but I want to have a condition on time when IDs match. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. 20. Then you take only the results from both the tables (the first where condition). . From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. Then I try to check if the user displayed has administration rights by appending the subsearch displayed below. and use the last where condition to take only the ones present in all tables. In my IIS logs I have one search that gives me a user agent string ( cs_User_Agent) and a SessionId; then another that has the SessionId and the UserId search 1 retri. . at first you have to check how many results you have in the second query because there's a limit of 50,000 results in subqueries, so maybe this is the problem. I have set the first search which searches for all user accounts: |rest /services/authentication/users splunk_server=local |fields title |rename title as user. With this search, I can get several row data with different methods in the field ul-log-data. Here are examples: file 1:Good, I suggest to modify my search using your rules. see below: I have two sourcetypes: (index=vulnerability sourcetype=json:id) with the following fields: computername secondaryid id (sourcetype="json:impacts") with the following fields: c_id cw_id bs isHi, Recipient domain is the match. 6 hours ago. In Inner Join we join 2 dataset tables which is table A and B and the matching values from those. When you run a search query, the result is stored as a job in the Splunk server. The "inner" query is called a 'subsearch' and the "outer" query is called the "main search". Do you have an example event that sets duration toHi , Thanks for your answer but it returns wrong results. | inputlookup Applications. ie I assume you get events for this: app="atlas"Run your search to retrieve events from both indexes (and add whatever additional criteria there is, if any) index=a OR index=b. . 12. Description The multisearch command is a generating command that runs multiple streaming searches at the same time. CC {}, and ExchangeMetaData. Even search works fine, you will get partial results. COVID-19 Response SplunkBase Developers Documentation. Hi, It's been more than a week that I am trying to display the difference between two search results in one field using the "| set diff" command diff. The left-side dataset is sometimes referred to as the source data. Help joining two different sourcetypes from the same index that both have a. ago I second the. I also tried {} with no luck. TransactionIdentifier AS. Is it possible to use the common field, "host" to join the two events (from the two search results) together within 20 seconds of either event. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. BCC {}; the stats function group all of their values into a multivalue field "values (domain)", grouped by Sender. How to add multiple queries in one search in Splunk. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. Maybe even an expansion of scope beyond just row aggregation. Splunk Platform Products; Splunk Enterprise; Splunk Cloud; Splunk Data Stream Processor; Splunk Data Fabric Search; Splunk Premium Solutions; Security Premium Solutions; IT Ops Premium Solutions; DevOps Premium Solutions; Apps and Add-ons; All Apps and Add-ons; Discussions. Subscribe to Support the channel: help? Message me on LinkedIn: 06-19-2019 08:53 AM. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. join command is an option, but should rarely be the first choice, as 'join' has limitations and is not really the way to do this sort of task in Splunk worldThese are all events from Splunk Nix TA add-on which gives var/logs top , ps etc logs . We can join two searches with no command fields by creating a field alias so both the externalid and _id can map per a distinct field. (sourcetype=foo OR sourcetype=bar OR sourcetype=xyz). Ref AS REF *Search 2 - "EI Microservice" * MicroService - a. When Joined X 8 X 11 Y 9 Y 14. for example, search 1 field header is, a,b,c,d. (index=A OR index=B) | stats count earliest (_time) as _time by srcip | where count >=2. Joined both of them using a common field, these are production logs so I am changing names of it. Here is an example: First result would return for Phase-I project sub-project processed_timestamp p1 sp11 5/12/13 2:10:45. ( verbs like map and some kinds of join go here. Then you make the second join (always using stats). Step 3: Filter the search using “where temp_value =0” and filter out all the. Use. Hi rajatsinghbagga, at first you have to check how many results you have in the second query because there's a limit of 50,000 results in subqueries, so maybe this is the problem. Summarize your search results into a report, whether tabular or other visualization format. below is my query. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. . | join type=left client_ip [search index=xxxx sourcetype. Joined both of them using a common field, these are production logs so I am changing names of it. I've been unable to try and join two searches to get a table of users logged in to VPN, srcip, and sessions (if logged out 4911 field). Each of these has its own set of _time values. Community AnnouncementsCOVID-19 Response SplunkBase Developers Documentation. You can use other techniques, such as searching for all the data in a single search and then manipulating it with eval/stats to get to your desired output, but need more info on that. . The above discussion explains the first line of Martin's search. 1) You can use join with an "outer" search and a subsearch: first_search | join host [ second_search ] 2) But you probably don't have to do them as separate searches. An example with a join between a list of users and the logins per server can be : index=users username=* email=*. I currently try to do a splunk auditing by searching which user logged into the system using some sort of useragent and so on. 1. join. csv with fields _time, A,C. I have three search results giving me three different set of results, in which three is one common filed called object and the number of results in each results may vary. Hi, I wonder whether someone may be able to help me please. Examples of streaming searches include searches with the following commands: search, eval, where, fields, and rex. Step 2: Use the join command to add in the IP addresses from the blacklist, including every IP address that matches between the two changes from a 0 to a 1. . Index name is same for both the searches but i was using different aggregate functions with the search . Just for your reference, I have provided the sample data in resp. . If the Search Query-2 "Distinct users" results are greater than 20 then, I want to ignore the result. | join type=left key [base search] I trued and if hard code the 2 searches together with the 2nd search in left join with the base search it work perfectly. Get all events at once. I know that this is a really poor solution, but I find joins and time related operations quite. 1 Answer. For example, I am seeing time mismatches in the _time value between chart columns (some being incorrect). the same set of values repeated 9 times. Plus, in the main search you are calculating on an hourly basis, and in the subsearch, it is daily. name=domestic-batch context=BATCH action=SEND_EMAIL (status=STARTED OR status="NOT RUN" OR. join command usage. See the syntax, types, and examples of the join command, as well as the pros and. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. merge two search results. Description: Indicates the type of join to perform. . Take note of the numbers you want to combine. Pipe the results of that into an appendcols that uses a subsearch reflecting the second search (same mods), and pipe that into fields to isolate just the count of deadlocks. The simplest join possible looks like this: <left-dataset> | join left=L right=R where L. SRC IP above comes from a pool, and can be reassigned to another user, if it's not being used by anyone else at the time. In this case join command only join first 50k results. It is essentially impossible at this point. . Path Finder 10-18-2020 11:13 PM. The simplest join possible looks like this: <left-dataset> | join left=L right=R where L. COVID-19 Response SplunkBase Developers Documentation. Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered. I arrived as you from SQL and I did this work at the beginning of my Splunk activity: I resetted my approach to data correlation. The company is likely to record a top-line expansion year over year, driven by growing. . in Splunk join is used to correlate two (or more ) searches using one or more common keys and take fields from both the searches. hi only those matching the policy will show for o365. The only common factor between both indexes is the IP. The second part of the output table (start1, end1, Acct_Session_Id, NAS_IP_Address, User_Name) returns identical rows, i. Join two Splunk queries without predefined fields. I have then set the second search which. Example: | strcat allrequired=f email "|" uname "|" secondaryuname identity. Use the search command to retrieve events from indexes or filter the results of a previous search command in the pipeline. Use Regular Expression with two commands in Splunk. In the perfect world the top half does'tre-run and the second tstat re-use the 1st half's data from the original run. Monitoring Splunk; Using Splunk; Splunk Search; Reporting; Alerting; Dashboards & Visualizations; Splunk Development; Building for the Splunk Platform; Splunk Platform Products; Splunk Enterprise; Splunk Cloud Platform; Splunk Data Stream Processor; Splunk Data Fabric Search; Splunk Premium Solutions; Security Premium. index=o365 " Result of Query-1 LogonIP " earliest=-30d | stats dc (user) as "Distinct users". sourcetype="srcType1" OR sourcetype="srcType2" commonField=* | stats count as eventcount by commonField | search eventcount>1. Unfortunately this got posted by mistake, while I was editing the question. Well, the difference between these 2 approaches is that OR adds new rows to the resulting set while JOIN adds new columns. Here's a variant that uses eventstats to get the unique count of tx ids which before the where clause. Add in a time qualifier for grins, and rename the count column to something unambiguous. ip=table2. Descriptions for the join-options. TPID=* CALFileRequest. . join Multisearch Union OR boolean operator The most common use of the OR operator is to find multiple values in event data, for example, “foo OR bar. How to join 2 datamodel searches with multiple AND clauses msashish. The query. The most common use of the “OR” operator is to find multiple values in event data, e. . . I have created the regex which individually identifies the string but when I try to combine using join, I do not get the result. Click Search: 5. In this case join command only join first 50k results. Hello, this is the full query that I am running. Admittedly, given the many ways to manipulate data, there are several methods to achieve this [1]. So you do not want to "combine" results of the two queries into one, just to apply some additional conditions to the o365 search, conditions used in the mail search that haven't been applied in the o365 search. You should see something like this:Let me say first that your 1st search might (but that would need some debugging) be highly suboptimal. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. 0. Below is my code: | set diff [search sourcetype=nessus source=*Host_Enumeration* earliest=-3d@. Engager 07-01-2019 12:52 PM. left join with field 1 from index2 if field1!=" " otherwise left join with field 2 from index 2. Ive tried using a search using an OR statement to try and join the searches that I am getting, but I noticed that the fields I am extracting duplicate information and the tables don't get joined properly. Ref=* | stats count by detail. Optionally specifies the exact fields to join on. The other (B) contains a list of files from the filesystem on our NAS, user ids, file names, sizes, dates. join userId [search sourcetype=st2] to get this: userId, field1, field2 foo, value1, value2 6 Karma Reply. You must separate the dataset names. I'm using the following searches: Search 1 - "EI Auth" Auth - index="main" auditSource=*auth* auditType=LoginEntitlements detail. Option 1: Use combined search to calculate percent and display results using tokens in two different panels. Description: The traditional join command joins the results from the main results pipeline with the search pipeline results provided as the last argument. Depending on what your going for you could use appendcols, selfjoin, or join or perform an eval statment combining two searches. After this I need to somehow check if the user and username of the two searches match. Define different settings for the security index. Splunk query based on the results of another query. Suggestions: "Build" your search: start with just the search and run it. I tried to use the NOT command to get the events from the first search but not in the second (subsearch) but in the results, I noticed events from the second search (subsearch). But, if you cannot work out any other way of beating this, the append search command might work for you. I'm seeking some guidance with optimizing a Splunk search query that involves multiple table searches and joins. The most common use of the “OR” operator is to find multiple values in event data, e. Let’s take an example: we have two different datasets. Communicator. ravi sankar. Security & the Enterprise; DevOps &. Description. Depending on what your going for you could use appendcols, selfjoin, or join or perform an eval statment combining two searches. Lets make it a bit more simple. I have two spl giving right result when executing separately . . The first search result is : The second search result is : And my problem is how to join this two search when. Are you sure there isn't anything you're leaving out of your examples ? I've updated my question to include a flowchart. Table 1 userid, action, IP Table2 sendername, action, client_IP Query : select Table1. Path Finder. (sourcetype=foo OR sourcetype=bar OR sourcetype=xyz). Community Office Hours.