Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SPL Help for below scenerio

vikram1583
Explorer
‎03-16-2020 02:19 PM

search 1...|table src_ip
search 2: tag=authentication user!=*$ src_ip=xx.xx.xx.xx
| head 1
| table user src_ip

from search 1 result i need to find user so i have search 2 to find that but i want to show both results in one search i tried like this
search1....| table src_ip | join type=left src_ip [|search tag=authentication user!=*$ src_ip=$src_ip$ | head 1
| table user src_ip
but not able to find result can some one help

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-16-2020 05:59 PM

You were close. The subsearch should not try to match events itself - the join will do that.

search1....| fields src_ip | join type=left src_ip [|search tag=authentication user!=*$ | stats values(user) as user by src_ip]
| table user src_ip
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

anmolpatel
Builder
‎03-16-2020 04:39 PM

@vikram1583 can you provide more detail about this? Maybe include an example

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...