- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search for value of FieldA, then search FieldB, Ma...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search for value of FieldA, then search FieldB, Match if contains $FieldA, then pull field_C from event with match.
I want to do a search for field_A in index_A. The value of field_A contains a URL minus any http(s), or query terms. I then want to use the value of field_A and search field_B from index_B for values containing it. If field_B contains field_A I want splunk to pull the value of field_C from index_B within the same event/log entry.
I have tried a few different iterations of the search but cannot seem to get the value from field_A to carry as a search term for field_B. I have read many different answer pages, and wikis. I thought I was on the right track with return, or fields commands but I am stuck.
"
earliest =-7d index=index_A sourcetype=source_A field_A=* | fields field_A | dedup field_A | eval = result [ search earliest=-7d index=index_B sourcetype=source_B field_B=<$field_A> ] | fields field_B
"
This one above is a simplified attempt, it does not work but I hope it shows the order I am trying to do things in. index_B is quite large so I want to search index_A first.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The join command might be useful here.
earliest =-7d index=index_A sourcetype=source_B field_B=* | fields field_B,field_C | join type=inner field_B [ search earliest=-7d index=index_A sourcetype=source_A | fields field_A | dedup field_A | rename field_A as field_B ] | fields field_B,field_C
If I understood the question correctly, then an inner join on the larger table B with table A would give the required output.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the quick answer ramdaspr.
Im wondering why we are searching index_a for sourcetype_b which is not in that index. Does the JOIN statement take care of this?
I will test it when I get an opportunity and let you know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My bad, it should be index_B at the start. Basically keep the larger index outside of the subsearch.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is there a way we can get the count of main search before join and the final count after performing the join?
Index This | I’m short for "configuration file.” What am I?
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Your Guide to SPL2 at .conf24!
