https://community.splunk.com/t5/Splunk-Search/merge-2-logs-into-one-with-at-most-one-value-for-each-field/m-p/391496#M190787 <P>@shayhibah how have you indexed the two logs? Are they having same/different metadata like index, sourcetype, source? Best approach would be to write you search to pull all required data from index. Then you can apply correlation afterwards (as per your example does not seem like there is any correlation between the two logs).</P> <P>Please provide more information for the community to assist you better. What is your current SPL? How are you correlating log 1 data with log 2? Will name field serve as the key to correlate and find unique events in each log? How many fields can these logs have?</P> <P>Based on your explanation so far, you can try something like the following:</P> <PRE><CODE>index=blah sourcetype IN ("sourcetypeForLog1","sourceTypeForLog2") source="path\log*" | fields name a,b,c,d, | stats min(_time) as _time last(*) as * by name </CODE></PRE> Mon, 22 Jul 2019 14:00:29 GMT niketn 2019-07-22T14:00:29Z https://community.splunk.com/t5/Splunk-Search/merge-2-logs-into-one-with-at-most-one-value-for-each-field/m-p/391493#M190784 <P>Hi,</P> <P>I would like to combine 2 logs (or more) as the following:</P> <P><STRONG>log #1:</STRONG><BR /> time=1563281015|name=sh_lab|a=1|b=2|c=3|</P> <P><STRONG>log#2:</STRONG><BR /> time=1563281010|a=2|d=4|</P> <P><STRONG>Output should be:</STRONG><BR /> time=1563281015|name=sh_lab|a=1|b=2|c=3|d=4|</P> <P>(time is taken from the first log since it is the latest log,d is taken from the second log since it does not part of the latest log, all other fields are taken from the first log since it is the latest log).</P> <P>Is it possible to do it in Splunk?</P> Thu, 18 Jul 2019 07:39:21 GMT https://community.splunk.com/t5/Splunk-Search/merge-2-logs-into-one-with-at-most-one-value-for-each-field/m-p/391493#M190784 shayhibah 2019-07-18T07:39:21Z https://community.splunk.com/t5/Splunk-Search/merge-2-logs-into-one-with-at-most-one-value-for-each-field/m-p/391494#M190785 <P>any idea??</P> Mon, 22 Jul 2019 12:34:46 GMT https://community.splunk.com/t5/Splunk-Search/merge-2-logs-into-one-with-at-most-one-value-for-each-field/m-p/391494#M190785 shayhibah 2019-07-22T12:34:46Z https://community.splunk.com/t5/Splunk-Search/merge-2-logs-into-one-with-at-most-one-value-for-each-field/m-p/391495#M190786 <P>@shayhibah :</P> <P>Appendcols might give you what you desire. below is something i tried with your data set.</P> <P>| makeresults | eval time=1563281015, name="sh_lab", a=1, b=2, c=3<BR /> | appendcols [makeresults | eval time=1563281010,a=2,d=4 | table d]</P> <P>Kindly know that there is a high possibility you might not get correct results.<BR /><BR /> Because it will correlate the first event of log one with the 1st event of log two, and so on.<BR /><BR /> It will not care about the time and fields of the events or when events came.</P> Mon, 22 Jul 2019 13:38:44 GMT https://community.splunk.com/t5/Splunk-Search/merge-2-logs-into-one-with-at-most-one-value-for-each-field/m-p/391495#M190786 chinmoya 2019-07-22T13:38:44Z https://community.splunk.com/t5/Splunk-Search/merge-2-logs-into-one-with-at-most-one-value-for-each-field/m-p/391496#M190787 <P>@shayhibah how have you indexed the two logs? Are they having same/different metadata like index, sourcetype, source? Best approach would be to write you search to pull all required data from index. Then you can apply correlation afterwards (as per your example does not seem like there is any correlation between the two logs).</P> <P>Please provide more information for the community to assist you better. What is your current SPL? How are you correlating log 1 data with log 2? Will name field serve as the key to correlate and find unique events in each log? How many fields can these logs have?</P> <P>Based on your explanation so far, you can try something like the following:</P> <PRE><CODE>index=blah sourcetype IN ("sourcetypeForLog1","sourceTypeForLog2") source="path\log*" | fields name a,b,c,d, | stats min(_time) as _time last(*) as * by name </CODE></PRE> Mon, 22 Jul 2019 14:00:29 GMT https://community.splunk.com/t5/Splunk-Search/merge-2-logs-into-one-with-at-most-one-value-for-each-field/m-p/391496#M190787 niketn 2019-07-22T14:00:29Z