(| table host DisplayName DisplayVersion DesktopGroupName) host = MachineName, that fields contains same values, in same format. If you want to coorelate between both indexes, you can use the search below to get you started. Splunk supports nested queries. I know that this is a really poor solution, but I find joins and time related operations quite. You can use the union command at the beginning of your search to combine two datasets or later in your search where you can combine the incoming search results with a dataset. 1. However, it seems to be impossible and very difficult. Splunk. If the failing user is listed as a member of Domain Admins - display it. On the other hand, if the right side contains a limited number of categorical variables-- say zip. Showing results for Search instead for Did you mean:. 1 Answer. Hi All, I have a scenario to combine the search results from 2 queries. join command usage. 20 50 (10 + 40) user2 t1 20. When Joined X 8 X 11 Y 9 Y 14. conjuction), which is the reason of a better search speed. Merges the results from two or more datasets into one dataset. In Inner Join we join 2 dataset tables which is table A and B and the matching values from those. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. i want to show all , and if hitsthe policy , it shoud show that it his the policy PII. csv. 1) You can use join with an "outer" search and a subsearch: first_search | join host [ second_search ] 2) But you probably don't have to do them as separate searches. I want to join both search queries to get complete resu. Posted on 17th November 2023. 20. I appreciate your response! Unfortunately that search does not work. Index name is same for both the searches but i was using different aggregate functions with the search . Then I try to check if the user displayed has administration rights by appending the subsearch displayed below. I have two lookup tables created by a search with outputlookup command ,as: table_1. Turn on suggestions. BCC {}; the stats function group all of their values into a multivalue field "values (domain)", grouped by Sender. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. csv with fields _time, A,C. multisearch Description. 0 Karma. conf to use the new index for security source types. BrowseHi o365 logs has all email captures. . Below a simple example: sourcetype_A s1_field1 = Purchase OK s1_field2 = 9 s1_field3 = tax value s1_field4 = Completed sourcetype_B s2_field1 = 9 s2_field2 = Rome. I can create the lookup for one of the queries and correlate the matching field values in the second query but trying to do without lookup within. conf setting such as this:SplunkTrust. There need to be a common field between those two type of events. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. So to use multisearch correctly, you should probably always define earliest and. This query found several hits in the Statistics view, many entries had 1 correlationId and 2 durations. Summarize your search results into a report, whether tabular or other visualization format. 30. 1. index=A product=inA | stats count (UniqueID) as Requests | appendcols [search index=B order="BuyProduct" | stats count (UniqueID) as OrdersPlaced]Check to see whether they have logged on in the last 12 months, In addition add the date on each user row when the account was created/amended. Needs some updating probably. pid <right-dataset> This joins the source data from the search pipeline. This tells Splunk platform to find any event that contains either word. My 2nd search gives me the events which will only come in case of Logged in customer. The left-side dataset is the set of results from a search that is piped into the join. Please hep in framing the search . This totally worked for me thanks a ton! For anyone new to this, the fields will look like they've each been merged into a single value in each Parameter, but are still separate values in a way - they're Multivalues now - so to merge 2 multivalues into one, use mkjoin or mkindex (field,0)+mkindex (field,1) 0 Karma. How to combine two queries in Splunk?. I've been unable to try and join two searches to get a table of users logged in to VPN, srcip, and sessions (if logged out 4911 field). Whether the datasets are streaming or non-streaming determines if the union command is run on the indexers or the search head. The "inner" query is called a 'subsearch' and the "outer" query is called the "main search". BrowseCOVID-19 Response SplunkBase Developers Documentation. In o365 search, recipient domain is extracted from three possible fields, ExchangeMetaData. action, Table1. This command requires at least two subsearches and allows only streaming operations in each subsearch. Let’s take an example: we have two different datasets. Learn how to use the join command in Splunk to bring together two matching fields from two different indexes. Learn more about Labs. If Id field doesn't uniquely identify combination of interesting fields, you. . action, Table1. I am not sure if a multi-search is the best approach, or using append vs join vs subsearch. I am in need of two rows values with , sum(q. Example: Query 1: retrieve IPS alerts host=ips ip_src=10. search 2 field header is . below is my query. The situation is something like this, I am writing a search query and data is coming from a macro, another search query and data is coming from another macro, need to make a join like explained above and data is in 500,000-1000000 count. For Type= 101 I don't have fields "Amount" and "Currency", so I'm extracting them through Regex in separate query. Answers. Generating commands fetch information from the datasets, without any transformations. index=mysearchstring2 [ search index=mysearchstring1 | fields employid | format ] Splunk will run the subsearch first and extract only the employid field. Inner Join. The Great Resilience Quest: Leaderboard 7. In the perfect world the top half does'tre-run and the second tstat re-use the 1st half's data from the original run. Security & the Enterprise; DevOps &. CommunicatorJoin two searches based on a condition. Where the command is run. Hence not able to make time comparison. Ive tried using a search using an OR statement to try and join the searches that I am getting, but I noticed that the fields I am extracting duplicate information and the tables don't get joined properly. Join two searches together and create a table. Explorer. eg. SSN AS SSN, CALFileRequest. Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered. Because of this, you might hear us refer to two types of searches: Raw event searches. . Tags: eventstats. Index name is same. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. I need to somehow join the two tables to get _time, A,B,C NOTE: the common field in AHi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. join command is an option, but should rarely be the first choice, as 'join' has limitations and is not really the way to do this sort of task in Splunk worldThese are all events from Splunk Nix TA add-on which gives var/logs top , ps etc logs . The following table. index=ticket. [R] r ON q. How to join 2 datamodel searches with multiple AND clauses msashish. Splunk Search cancel. Bye. Hi rajatsinghbagga, at first you have to check how many results you have in the second query because there's a limit of 50,000 results in subqueries, so maybe this is the problem. To{}, ExchangeMetaData. . I tried using coalesce but no luck. 20. AlsoBrowse . 2) index=os_windows Workstation_Name="*"| dedup Workstation_Name | table Workstation_Name | sort Workstation_Name. So at the end I filter the results where the two times are within a range of 10 minutes. But if the search Query 2 LogonIP<20 then, I want to join the result with Query 1 and get the result. The simplest join possible looks like this: <left-dataset> | join left=L right=R where L. Try append, instead. Please read the complete question. 344 PM p1 sp12 5/13/13 12:11:45. The issue is the second tstats gets updated with a token and the whole search will re-run. Below is an example of two different searches that I am joining so I can get the following outcome after creating extracted fields 1. 30. I have to agree with joelshprentz that your timeranges are somewhat unclear. I saw in the doc many ways to do that (Like append. 4. o/ It's true the flowchart was included in the docs based on a nearly identical flowchart that I made years ago. Looks like a parsing problem. EnIP -- need in second row after stats at the end of search. . The search uses the information in the dmc_assets table to look up the instance name and machine name. 20. d,e,fSolved: I have two searches: search-A gives values like type status hostname id port Size base cache OFF host-1 17 NA NA NA NA ON host-1 6. COVID-19 Response SplunkBase Developers Documentation. Multisearch Union OR boolean operator The most common use of the OR operator is to find multiple values in event data, for example, “foo OR bar. The company is likely to record a top-line expansion year over year, driven by growing. This tells the program to find any event that contains either word. The logical flow starts from a bar char that group/count similar fields. Join two searches together and create a table dpanych. index 1 contains a list of domains and event_timestamp, index 2 contains a description for every domain. Simplicity is derived from reducing the two searches to a single searches. Help joining two different sourcetypes from the same index that both have a. With drill down I pass the 'description' by a token to the search that has to combine the search into a table. If the Search Query-2 "Distinct users" results are greater than 20 then, I want to ignore the result. Merges the results from two or more datasets into one dataset. New Member 06-02-2014 01:03 AM. hi let me make it easier for you to understand , | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match |. Below is my code: | set diff [search sourcetype=nessus source=*Host_Enumeration* earliest=-3d@. Finally, delete the column you don’t need with field - <name> and combine the lines. Write a single search to show two records to join; I am assuming you are not masking your intended search and index, and NOT somefield 1 2 is common across both searches: 2. The left-side dataset is the set of results from a search that is piped into the join command. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. After this I need to somehow check if the user and username of the two searches match. The union command is a generating command. . | join type=left key [base search] I trued and if hard code the 2 searches together with the 2nd search in left join with the base search it work perfectly. I have a very large base search. Turn on suggestions. When I run the first part of the query independently for the last 60 minutes, I receive 13Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. Reply. Thanks I have two searches. Join two Splunk queries without predefined fields. Union the results of a subsearch to the results of the main search. Runtime is the spanned time of a currentlyHi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. eg. Table 1 userid, action, IP Table2 sendername, action, client_IP Query : select Table1. I also need to find the total hits for all the matched ipaddress and time event. I want to join the two and enrich all domains in index 1 with their description in index 2. 17 - 8. I need a different way to join two searches rodolfotva. The Great Resilience Quest: Leaderboard 7. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. In my IIS logs I have one search that gives me a user agent string ( cs_User_Agent) and a SessionId; then another that has the SessionId and the UserId search 1 retri. Lets make it a bit more simple. BrowseI'd like to join these two files in a splunk search. . To split these events up, you need to perform the following steps: Create a new index called security, for instance. Suggestions: "Build" your search: start with just the search and run it. Step 2: Use the join command to add in the IP addresses from the blacklist, including every IP address that matches. 20. Since this field is same for hits_table and user_history, how cna i specify that i want to read the _time from hits_table and not user_history. 02 Hello Resilience Questers!union command usage. Security & the Enterprise; DevOps &. index=aws-prd-01 application. 1 Answer. Monitoring Splunk; Using Splunk; Splunk Search; Reporting; Alerting; Dashboards & Visualizations; Splunk Development; Building for the Splunk Platform; Splunk Platform Products; Splunk Enterprise; Splunk Cloud Platform; Splunk Data Stream Processor; Splunk Data Fabric Search; Splunk Premium Solutions; Security Premium. The important task is correlation. The second part of the output table (start1, end1, Acct_Session_Id, NAS_IP_Address, User_Name) returns identical rows, i. Phantom) >> Enterprise Security >> Splunk Enterprise or Cloud for Security >> Observability >> Or Learn More in Our Blog >>usually the people that loves join are people that comes from SQL, but Splunk isn't a DB, it's a search engine, so you should try to think in a different way. | from mysecurityview | fields _time, clientip | union customers. So you run the first search roughly as is. I need to use o365 logs only is that possible with the criteria. See Initiating subsearches with search commands in the Splunk Cloud Platform Search Manual. You can also combine a search result set to itself using the selfjoin command. Here is how I would go about it; search verbose to try an get to a single record of source you are looking to join. join on 2 fields. First one logs all the user sessions with user name, src ip, dst ip, and login/logout time. I will try it. By Splunk January 15, 2013. Twitter. | stats values (email) AS email by username. Full of tokens that can be driven from the user dashboard. Your query should work, with some minor tweaks. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. So I need to join two searches on the basis of a common field called uniqueID. Fields: search 1 -> externalId search 2 -> _id. This tells the program to find any event that contains either word. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. message = "STORE*") and (sourcetype="snow:incident" dv_opened_by=OPSGenieIntegration) - all within the second search. | JOIN username. The multisearch command is a generating command that runs multiple streaming searches at the same time. Optionally. Combine the results from a search with. There need to be a common field between those two type of events. method, so the table will be: ul-ctx-head-span-id | ul-log. The 'allrequired=f' flag also allows you to concatenate the fields that exist and ignore those that don't. Splunk Search cancel. 1st Dataset: with four fields – movie_id, language, movie_name, country. The following example merges events from the customers and orders index datasets, and the vendors_lookup dataset. . In the "Match type" box, enter "WILDCARD (name),WILDCARD (prename)". The subsearch produces no difference field, so the join will not work. Communicator. You will have to use combinations of first (), last (), min (), max () or values () etc for various fields that you want to work on after correlation. I currently try to do a splunk auditing by searching which user logged into the system using some sort of useragent and so on. The simplest join possible looks like this: <left-dataset> | join left=L right=R where L. Here's a variant that uses eventstats to get the unique count of tx ids which before the where clause. LoggerSorry for being unclear, an example request with response (entries which i can find with my searches): 85a54844766753b0 is a correlationId Request COVID-19 Response SplunkBase Developers DocumentationSolved: Hi , I want to join two searches without using Join command ? I don't want to use join command for optimization issue. I know for sure that this should world - it should return statistics. Subscribe to Support the channel: help? Message me on LinkedIn: 06-19-2019 08:53 AM. Example: correlationId: 80005e83861c03b7. Generally, after getting data into your Splunk deployment, you want to: Investigate to learn more about the data you just indexed or to find the root cause of an issue. Outer Join (Left) Above example show the structure of the join command works. Getting charts to do what you want can be a chore, or sometimes seemingly impossible. I'm able to pull out this infor if I search individually but unable to combine. Later you can utilise that field during the searches. 0, the Splunk SOAR team has been hard at work implementing new. The left-side dataset is sometimes referred to as the source data. I have the following two searches: index=main auditSource="agent-f" Solution. If the data from the left part of the search returns a small number of values that can then be looked up on the right, then a map might be the right answer. @ITWhisperer @scelikok @soutamo @saravanan90 @thambisetty @gcusello @bowesmana @to4kawa @woodcock Please help here. In both inner and left joins, events that match are joined. Let's say my first_search above is "sourcetype=syslog "session. e. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. 73. Description. 6 already because Splunk introduced the join command:Using Splunk: Splunk Search: Join with different fields names. . Having high number of results in first search is perfectly fine, but the problem is with second search which is also called sub search. Splunk Platform Products; Splunk Enterprise; Splunk Cloud; Splunk Data Stream Processor; Splunk Data Fabric Search; Splunk Premium Solutions; Security Premium Solutions; IT Ops Premium Solutions; DevOps Premium Solutions; Apps and Add-ons; All Apps and Add-ons; Discussions. For this reason I was thinking to run the 2nd search with a dynamic field (latest) which will be calculated in the main search and it will search in the DNS only up to the last time this user used this IP address. 0. Hi, We have two kind of logs for our system: First one logs all the user sessions with user name, src ip, dst ip, and login/logout time. g. One thing that is missing is an index name in the base search. Problem is, searches can be joined only on a field, but I want to pass a condition to it. | set diff [ search index=idx2 sourcetype=src | dedup A ] [search index=idx1 sourcetype=src | dedup A ] | stats count BY index A | table index A. I tried the below query but it results 0 events: Index=A sourcetype=signlogs outcome=failure. 2nd Dataset: with. I tried to use the NOT command to get the events from the first search but not in the second (subsearch) but in the results, I noticed events from the second search (subsearch). The two searches can be combined into a single search. . ” This tells Splunk platform to. Syntax The required syntax is in bold . The issue is the second tstats gets updated with a token and the whole search will re-run. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. the same set of values repeated 9 times. sourcetype="srcType1" OR sourcetype="srcType2" commonField=* | stats count as eventcount by commonField | search eventcount>1. It is built of 2 tstat commands doing a join. Click Search: 5. I am currently using two separate searches and both search queries are working fine when executing separately. . Splunk Platform Products; Splunk Enterprise; Splunk Cloud; Splunk Data Stream Processor; Splunk Data Fabric Search; Splunk Premium Solutions; Security Premium Solutions; IT Ops Premium Solutions; DevOps Premium Solutions; Apps and Add-ons; All Apps and Add-ons; Discussions. If I just pass only the client_ip everything works fine, but I want to manipulate the time range of the subsearch. Hi In fact i got the answer by creating one base search and using the answer to create a second search. search. . Event 2 is data related to password entered and accepted for the sudo login which has host , user name the. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. Optionally specifies the exact fields to join on. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. The search ONLY returns matches on the join when there are identical values for search 1 and search 2. I am trying to find all domains in our scope using many different indexes and multiple joins. Can you please add sample data from two index that are to be correlated? Also, do you know whether the field extractions for indexA and indexB been created by you/your team or are they built. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. Posted on 17th November 2023. Without it, Splunk will only read your default indexes (if you have any defined), which may not contain the data you seek. Community AnnouncementsCOVID-19 Response SplunkBase Developers Documentation. etc. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. Solution. In the perfect world the top half does'tre-run and the second tstat re-use the 1st half's data from the original run. . 02-06-2012 08:26 PM. How to join two searches with specific times saikumarmacha. | mvexpand. ip,Table2. client_ip What can be the equivalent query in Splunk if index is considered a table ? below is the actual scenario. P lotting two time-series in a single chart is a question often asked by many of our customers and Answers users. Turn on suggestions. I am trying to find top 5 failures that are impacting client. I have two source types, one (A) has Active Directory information, user id, full name, department. index=mysearchstring2 [ search index=mysearchstring1 | fields employid | format ] Splunk will run the subsearch first and extract only the employid field. ie I assume you get events for this: app="atlas"Run your search to retrieve events from both indexes (and add whatever additional criteria there is, if any) index=a OR index=b. . second search. 1) index=symantec_sep sourcetype="symantec:ep:scan:file" | dedup dest |table dest | sort dest. 20 46 user1 t2 30. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. The join command is used to combine the results of a sub search with the results of the main search. Solution. To {}, ExchangeMetaData. k. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. You can also use append, appendcols, appendpipe, join,lookup. If I interpret your events correctly, this query should do the job. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. You can retrieve events from your indexes, using. COVID-19 Response SplunkBase Developers DocumentationAh sorry in my test search I had just status. But this discussion doesn't have a solution. 17 - 8. Browse . Explorer 02. StIP AND q. The most common use of the “OR” operator is to find multiple values in event data, e. . So version 4 of a certain OS has it's own out-of-support date, version 5 another supportdate. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. Rows from each dataset are merged into a single row if the where predicate is satisfied. . I can create the lookup for one of the queries and correlate the matching field values in the second query but trying to do without lookup within. Splunk Platform Products; Splunk Enterprise; Splunk Cloud; Splunk Data Stream Processor; Splunk Data Fabric Search; Splunk Premium Solutions; Security Premium Solutions; IT Ops Premium Solutions; DevOps Premium Solutions; Apps and Add-ons; All Apps and Add-ons; Discussions. a. 1 Answer. Community; Community; Getting Started. pid = R. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. The above will combine the three fields, 'email', 'uname', and 'secondaryuname' into the single field 'identity', delimitating by the pipe character. You need to illustrate your data (anonymize as needed), explain key data characteristics, illustrate the results,. The field extractions in both indexes are built-in. Sorted by: 1. left join with field 1 from index2 if field1!=" " otherwise left join with field 2 from index 2. I need merge all these result into a single table. Description. Ref | rename detail. 51 1 1 3 answers. client_ip What can be the equivalent query in Splunk if index is considered a table ? below is the actual scenario. 20. Here is an example: First result would return for Phase-I project sub-project processed_timestamp p1 sp11 5/12/13 2:10:45. SplunkTrust. I used Join command but I want to use only one matching field in bothHi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. まずはSplunk中級者?がハマりがちなsubsearchs、join、append、inputlookupの制限をチェック Splunk Version 8. The join command is a centralized streaming command, which means that rows are processed one by one. 12. This command requires at least two subsearches and allows only streaming operations in each subsearch. Hi , If i am able to answer your query , Can you please mark this answer as accepted ?Based on your original searches, RecipientDomain is a standalone field that directly comes from index mail. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. Splunk Answers. Browse@damode, The event from indexA has userid=242425 however, I do not see 242425 value in the event from indexB. What you're asking to do is very easy - searching over two sourcetypes to count two fields. Hi, I know this is a hot topic and there is answers everywhere, but i couldn't figure out by my self. 20. Hi, It's been more than a week that I am trying to display the difference between two search results in one field using the "| set diff" command diff. So you do not want to "combine" results of the two queries into one, just to apply some additional conditions to the o365 search, conditions used in the mail search that haven't been applied in the o365 search. I want to access its value from inside a case in an eval statement but I get this error: Unknown search command '0'. 08-03-2020 08:21 PM. And write them so that they are sending back ALL the materials you need at the same time, rather than having to have the head librarian compile things, then ask again. The first part of the output table (start, end connId, clientIP) gives 9 lines from Search 1. see below: I have two sourcetypes: (index=vulnerability sourcetype=json:id) with the following fields: computername secondaryid id (sourcetype="json:impacts") with the following fields: c_id cw_id bs isHi, Recipient domain is the match. csv. . So I have saved 3 searches, each of the 3 searches product the same fields, but I would like to join them together referencing the. However, it seems to be impossible and very difficult. COVID-19 Response SplunkBase Developers Documentation. I also tried {} with no luck. To {}, ExchangeMetaData. | join type=left client_ip [search index=xxxx sourcetype. To display the information in the table, use the following search. Hi I have a very large base search. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. 0 — Updates and Our 2. Then you make the second join (always using stats). e. From PaloAlto logs I get the list of malicious domains detected and blocked with the following query and I do a join statement looking for each malicious domain a DNS request entry in the. I'm trying to join 2 lookup tables. . Splunkers! I need to join the follow inputlookup + event searche in order to have, for each AppID, the full set of month buckets given from the time range picker Example: Search 1 (Fromm inputlookup): App1 App2. ravi sankar. Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and SYSMON logs. Splunk Platform Products; Splunk Enterprise; Splunk Cloud; Splunk Data Stream Processor; Splunk Data Fabric Search; Splunk Premium Solutions; Security Premium Solutions; IT Ops Premium Solutions; DevOps Premium Solutions; Apps and Add-ons; All Apps and Add-ons; Discussions. see below: I have two sourcetypes: (index=vulnerability sourcetype=json:id) with the following fields: computername secondaryid id (sourcetype="json:impacts") with the following fields: c_id cw_id bs isThanks Kristian, Is it possible to use transaction on two fields, eg "hosts" & "hosts2" whereby it is the data in both fields which is the same, and it is that which I wish to correlate? Also, Both searches are different indexesI'd like to join two searches and run some stats to group the combined result to see how many users change/update browsers how often. 1 KB. In general is there any way to dynamically manipulate from the main search the time range (earliest latest) that the 2nd search will. Hi Splunkers, I have a complex query to extract the IDs from first search and join it using that to the second search and then calculate the response times. ) and that string will be appended to the main.