topic combining fields from two log entries which have a common id that is named differently in Splunk Search

combining fields from two log entries which have a common id that is named differently

dreeck — Tue, 29 Sep 2020 21:06:17 GMT

Base,

How can I combine two log entries that share a common ID when the field name of the ID is different between both entries?

Currently I'm using re-name to change my field names into strings that don't contain "-" (eval seems to hate "-"),

rename v.my-very-long-field-name.rid AS rid
then eval to give the unique field names a single name, and transact:

eval request_id=if(isnull(rid), req, rid)
transaction request_id |

Last thing: I table values from both log entries. Seems like it should work great... but... it doesn't.
I end up with table entries containing values from 1 log entry or the other, not both.

Help me Obi Wan...

Re: combining fields from two log entries which have a common id that is named differently

horsefez — Tue, 29 Sep 2020 21:07:29 GMT

Hi my very young padawan,

as you did not provide enough sample data or your full query I have to write in pseudo code.
What I will try is introduce you to subsearches. You can find more information about them here:
http://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/Useasubsearch

index=logsource_A AND my-very-long-field-name.rid=* | rename my-very-long-field-name.rid AS rid
| join rid [search index=logsource_B AND rid=*]

Re: combining fields from two log entries which have a common id that is named differently

knielsen — Tue, 04 Sep 2018 11:51:02 GMT

It would be helpful to see what you are doing with the data, other than "table". Maybe your use case can be done with

sourcetype=A OR sourcetype=B
| rename your.very.long.field.name as rid
| eval request_id=coalesce(req, rid)
| stats <your logic> by request_id
| table your result