topic How to join two log files in Splunk in Splunk Search

How to join two log files in Splunk

alenseb — Mon, 28 Sep 2020 12:22:22 GMT

Hi all,

I have to two sourcetypes(NetSweep_log & Radius_log), both of them have a common field called "FramedIP". How can i extract the rows which have this common field ??

Please help.
Thanks!!

Re: How to join two log files in Splunk

MHibbin — Mon, 03 Sep 2012 12:55:35 GMT

So basically you will need to (and sorry if there is some repetition to what you have done, question is a little unclear) is...

Extract the fields for each sourcetype, with the easiest way being the IFX (Interactive Field eXtractor), alternatively using conf files.

Search those sourcetypes and you should have that field available in your Field Discovery panel (on the left). e.g....

(Soucetype=NetSweep_log OR sourcetype=Radius_log) | top FramedIP

Shoule be simple enough.

Hope this helps, if it doesn't please explain a little more

MHibbin

Re: How to join two log files in Splunk

alenseb — Mon, 28 Sep 2020 12:22:24 GMT

I guess this shows all the FramedIP from both the sourcetype.
But what i really need is All the data available in NetSweep_Log for FramedIP present in Radius_log.

I am new to Splunk. Sorry if its a stupid question.

Thanks!!

Re: How to join two log files in Splunk

MHibbin — Mon, 28 Sep 2020 12:22:27 GMT

So you want to use the values from the FramedIP field from the NetSweep_Log and use it search in the Radius Logs?

In that case you will need to use the subsearch feature, this will involve:

Define you base search to gather field values (e.g. sourcetype=NetSweep_Log | top FramedIP)
Append this to your main search, where you look at the Radius_log (e.g. sourcetype=Radius_log [search sourcetype=NetSweep_Log | top FramedIP | fields + FramedIP])

I'm assuming this is what you after. You should read docs here... http://docs.splunk.com/Documentation/Splunk/4.3.3/User/HowSubsearchesWork

Re: How to join two log files in Splunk

MHibbin — Mon, 03 Sep 2012 13:38:25 GMT

If this answers your question please mark it as accepted (with the tick next to the answer), and if you are feeling generous you can also up-vote it. Thanks 🙂

Re: How to join two log files in Splunk

alenseb — Tue, 04 Sep 2012 06:42:12 GMT

I tried this command, but it returns "0 matching events".
The logic seems to be correct though.
Is there any syntax we are missing?