topic How to compare two source files with combination of 4 fields as a unique key? in Splunk Search

How to compare two source files with combination of 4 fields as a unique key?

rajumedipally — Mon, 12 Feb 2018 15:55:32 GMT

I have two sources Send Log and Received Log
Send Log has four fields namely A B C D. (Combination of 4 fields as unique)

--A-----B-----C------D----
1. ww1 xx2 yy1 zz2
2. ww1 xx1 yy1 zz1
3. ww2 xx1 yy2 zz1
4. ww2 xx2 yy2 zz2

Received Log is having more than 5 fields namely A B C D E with A B C and D having same values as sendlog.
---A----B-----C----D----E---F----
1. ww1 xx2 yy1 zz2 1b3 Done
2. ww1 xx1 yy1 zz1 5bc Done
4. ww2 xx2 yy2 zz2 a3b Processed

If the value of all the four fields A B C and D match, then it should it retrieve the value of F from ReceivedLog and missing record (3rd row as not received)

Please help which is suitable options this case, and how to achieve this.

Appreciate your help..!!

Thanks.

Re: How to compare two source files with combination of 4 fields as a unique key?

somesoni2 — Mon, 12 Feb 2018 20:37:45 GMT

You can do like this (update the base search for each type of logs per your use-case, showing just some sample query here)

(index=foo sourcetype=bar source=*send.log) OR (index=baz sourcetype=qux source=*receive.log)
| stats values(source) as sources values(E) as E values(F) as F by A B C D

Re: How to compare two source files with combination of 4 fields as a unique key?

rajumedipally — Tue, 13 Feb 2018 14:04:13 GMT

Thanks for the Answer somesoni2

When I executed this results are like below,
A------B----C----D-----source----E----F
ww1 xx2 yy1 zz2 receive 1b3 Done
ww1 xx2 yy1 zz2 Send
ww1 xx1 yy1 zz1 receive 5bc Done
ww1 xx1 yy1 zz1 send
I need in single row with status, if the record didn't receive in receive.log (Ex. 3. ww2 xx1 yy2 zz1) show as NOT SENT