https://community.splunk.com/t5/Splunk-Search/Reading-same-field-from-multiple-log-files/m-p/467818#M131686 <P>One cannot rename fields in a base search (the part before the first <CODE>|</CODE>). That's done using <CODE>eval</CODE> or <CODE>rename</CODE>.<BR /> Also, since the start and end times are in separate events, you will not find both 'start' and 'end' together. The starting and ending events must be combined via some common field. Is there a transaction ID or other field that can be used to join the two events?</P> Tue, 07 Apr 2020 13:08:10 GMT richgalloway 2020-04-07T13:08:10Z https://community.splunk.com/t5/Splunk-Search/Reading-same-field-from-multiple-log-files/m-p/467817#M131685 <P>I have 2 log files from different sources. Both log files have statements either indicating a "Transaction-Start" or "Transaction-End" . "EPOCH" is a field common in both log files indicating the timestamp of either start or end of a transaction.</P> <P>Now I want to write a query that fetches EPOCH of "Transaction-Start" from log file 1, call it as, say <CODE>start</CODE> and EPOCH of "Transaction-End" from log file 2, call it as, say <CODE>end</CODE>. Following this, I want to find the difference between <CODE>end</CODE> and <CODE>start</CODE> and display only those logs with a difference higher than a threshold, say <CODE>10000</CODE></P> <P>What I have tried writing is below :</P> <PRE><CODE>index=someIndex ENVIRONMENT="someEnv" (source="/log/source1.log" "Transaction-Start" "EPOCH" as start) OR (source="/log/source2.log" "Transaction-End" "EPOCH" as end) | eval difference=end-start | where difference&gt;10000 </CODE></PRE> <P>But this is not working. Looking for help in composing this search in the right way.</P> Tue, 07 Apr 2020 12:50:40 GMT https://community.splunk.com/t5/Splunk-Search/Reading-same-field-from-multiple-log-files/m-p/467817#M131685 hegdevageesh 2020-04-07T12:50:40Z https://community.splunk.com/t5/Splunk-Search/Reading-same-field-from-multiple-log-files/m-p/467818#M131686 <P>One cannot rename fields in a base search (the part before the first <CODE>|</CODE>). That's done using <CODE>eval</CODE> or <CODE>rename</CODE>.<BR /> Also, since the start and end times are in separate events, you will not find both 'start' and 'end' together. The starting and ending events must be combined via some common field. Is there a transaction ID or other field that can be used to join the two events?</P> Tue, 07 Apr 2020 13:08:10 GMT https://community.splunk.com/t5/Splunk-Search/Reading-same-field-from-multiple-log-files/m-p/467818#M131686 richgalloway 2020-04-07T13:08:10Z https://community.splunk.com/t5/Splunk-Search/Reading-same-field-from-multiple-log-files/m-p/467819#M131687 <P>@richgalloway, yes, there is a "TXID" field that is common field in both log files.</P> Tue, 07 Apr 2020 13:13:57 GMT https://community.splunk.com/t5/Splunk-Search/Reading-same-field-from-multiple-log-files/m-p/467819#M131687 hegdevageesh 2020-04-07T13:13:57Z https://community.splunk.com/t5/Splunk-Search/Reading-same-field-from-multiple-log-files/m-p/467820#M131688 <P>Try this. It assumes EPOCH is an integer. If it isn't then you'll need to use <CODE>strptime</CODE> to convert it into an integer.</P> <PRE><CODE>index=someIndex ENVIRONMENT="someEnv" EPOCH=* (source="/log/source1.log" "Transaction-Start") OR (source="/log/source2.log" "Transaction-End") | eval start = if(source="/log/source1.log", EPOCH, null()), end = if (source="/log/source2.log", EPOCH, null()) | stats values(*) as * by TXID | eval difference=end-start | where difference&gt;10000 </CODE></PRE> Tue, 07 Apr 2020 13:28:19 GMT https://community.splunk.com/t5/Splunk-Search/Reading-same-field-from-multiple-log-files/m-p/467820#M131688 richgalloway 2020-04-07T13:28:19Z