Splunk how to combine two queries and get one answer

Question 1

Splunk how to combine two queries and get one answer

splunk splunk-query splunk-calculation splunk-formula splunk-sdk

James · Aug 16, 2018 · Viewed 24.7k times · Source

Answer

Answer

Like skoelpin said, I would suggest you to use the join command :

myQuery1 | join commonField [search myQuery2]

In your situation, this would lead to something like :

userName="" entityNumber="" | eval userName=upper(userName) | dedup userName, entityNumber | rename userName as User | table User, entityNumber 
| join User 
[search "Successfully logged in." | rex field=_raw "User[\":](?[^\"IP])"| eval User=upper(User) | Table User | stats count by User]

Be aware that your query might be slow, and that you should optimize your subqueries (by specifying an index, like skoelpin proposed).

Question 2

I am very new to Splunk and basically been dropped in the deep end!! also very new to language so any help and tips on the below would be great.

The out come i am trying to get is to join the queries and get Username, ID and the amount of logins.

The queries are from diff source, sourcetype and host.

Query 1 is Username and ID and Query 2 is Username and Count of logins.

Query 1: userName="" entityNumber="" | eval userName=upper(userName) | dedup userName, entityNumber | rename userName as User | table User, entityNumber

Query 2: "Successfully logged in." | rex field=_raw "User[\":](?[^\"IP])"| eval User=upper(User) | Table User | stats count by User

Thanks in advance for your help. J

Splunk how to combine two queries and get one answer

Answer

Related questions