I want to do a search for field_A in index_A. The value of field_A contains a URL minus any http(s), or query terms. I then want to use the value of field_A and search field_B from index_B for values containing it. If field_B contains field_A I want splunk to pull the value of field_C from index_B within the same event/log entry.
I have tried a few different iterations of the search but cannot seem to get the value from field_A to carry as a search term for field_B. I have read many different answer pages, and wikis. I thought I was on the right track with return, or fields commands but I am stuck.
"
earliest =-7d index=index_A sourcetype=source_A field_A=* | fields field_A | dedup field_A | eval = result [ search earliest=-7d index=index_B sourcetype=source_B field_B=<$field_A> ] | fields field_B
"
This one above is a simplified attempt, it does not work but I hope it shows the order I am trying to do things in. index_B is quite large so I want to search index_A first.
The join command might be useful here.
earliest =-7d index=index_A sourcetype=source_B field_B=* | fields field_B,field_C | join type=inner field_B [ search earliest=-7d index=index_A sourcetype=source_A | fields field_A | dedup field_A | rename field_A as field_B ] | fields field_B,field_C
If I understood the question correctly, then an inner join on the larger table B with table A would give the required output.
Thank you for the quick answer ramdaspr.
Im wondering why we are searching index_a for sourcetype_b which is not in that index. Does the JOIN statement take care of this?
I will test it when I get an opportunity and let you know.
My bad, it should be index_B at the start. Basically keep the larger index outside of the subsearch.
is there a way we can get the count of main search before join and the final count after performing the join?