How to search freetext after a join?

Konrad_Schlude · ‎03-23-2023

I'm looking for a way to search for freetext after a join.

It is easy when the field is known. For instance, there is a join with left L and right R, and the value of variable $id$ can be in one corresponding fields (in this example, both fields have the same name):

| search L.id=$id$ OR R.id=$id$

But how to search for something like freetext when this text can be a substring in any field of one of the two parts? I don't want to write a check for every field, so I tried things with "_raw" or "L._raw": Nothing worked.

Gr0und_Z3r0 · ‎03-23-2023

You can use OR condition in your search and use stats where the events match, instead of doing a join operation.

index=myindex 
("Processing started") OR ("Processing finished with result")
|stats count by id
|where count>1

Konrad_Schlude · ‎03-23-2023

Thanks for the fast reply. The idea is to join a request with the result of this request. Something like:

index=... "Processing started"
| join type=left left=L right=R where L.id = R.id [search index=... "Processing finished with result"]
| table _time L.id L.dataSource L.message R.message R.orderNumber
| sort _time desc

Simplified data:

id=1234 dataSource=system1 message="Processing started of request from user abc"
id=1234 dataSource=system1 message="Processing finished with result: Success" orderNumber=56789

Gr0und_Z3r0 · ‎03-23-2023

can you provide some sample data?

How to search freetext after a join?

join

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases