https://community.splunk.com/t5/Splunk-Search/how-to-join-2-log-files-using-splunk/m-p/77074#M19498 <P>I will try this approach and update accordingly</P> Fri, 04 Jan 2013 05:42:31 GMT infyravi 2013-01-04T05:42:31Z https://community.splunk.com/t5/Splunk-Search/how-to-join-2-log-files-using-splunk/m-p/77071#M19495 <P>Hi,<BR /> I am having 2 log files like this<BR /> 1) abc.log<BR /> 2) master.log</P> <P>In the master.log I am having master data like</P> <P>URI=/ABC/HOME | Name=LandingPage | SLA=10<BR /> URI=/ABC/SOMETRANSACTION| Name=XYZ | SLA=10</P> <P>In ABC.LOG file I am having entries like this<BR /> URI=/ABC/home|TT=10|CLS=ABC<BR /> URI=/ABC/home|TT=20|CLS=ABC<BR /> URI=/ABC/SOMETRANSACTION|TT=20|CLS=CDER</P> <P>Now I want to create a report like this</P> <H2>Business Txn ----&gt; Volume -----&gt; Average Response time---&gt; SLA</H2> <P>Landing page -----&gt; 2 ----------&gt; 15 ------&gt; RED</P> <P>XYZ ------&gt; 1 -----&gt; 20 -----&gt; RED</P> <P>It means the URI should be shown as Name value from master.log file and it should also do the<BR /> count of number of occurences along with Average and SLA calculation.</P> <P>Landing page should come as hyperlink so that when clicked it should show all landing page related transactions in another table.</P> <P>Can anyone let me know how we can achieve this.</P> Thu, 03 Jan 2013 17:43:25 GMT https://community.splunk.com/t5/Splunk-Search/how-to-join-2-log-files-using-splunk/m-p/77071#M19495 infyravi 2013-01-03T17:43:25Z https://community.splunk.com/t5/Splunk-Search/how-to-join-2-log-files-using-splunk/m-p/77072#M19496 <P>is the master.log really a log file? It seems a little bit like a table of acceptable SLA's per URL. In that case it may prove beneficial to use the master log as a lookup table. See the docs on lookup tables.</P> Thu, 03 Jan 2013 22:36:26 GMT https://community.splunk.com/t5/Splunk-Search/how-to-join-2-log-files-using-splunk/m-p/77072#M19496 kristian_kolb 2013-01-03T22:36:26Z https://community.splunk.com/t5/Splunk-Search/how-to-join-2-log-files-using-splunk/m-p/77073#M19497 <P>The approach I would try first is: </P> <PRE><CODE>source="abc.log" OR source="master.log" | stats last(SLA) as SLA last(Name) as Name last max(TT) as maxTT avg(TT) as avgTT by URI </CODE></PRE> <P>You can use the eval or rangemap commands to get you your Red/Yellow/Green column, and you may want/need to use eval to do more massaging with eval etc. but that will give you the basic idea. </P> <P>Beware the <CODE>join</CODE> command. Users new to Splunk often overuse the <CODE>join</CODE> and <CODE>append</CODE> commands because the metaphor matches what they are familiar with from SQL. However it's almost always better to use lookups, eval+stats or transaction. Think of the join and append commands as last resorts - square SQL pegs in a round Splunk world. </P> <P>Here's a flow chart I made a long time ago that attempts to help you through all this. <A href="http://sideviewapps.com/misc/grouping_flow_chart.png">http://sideviewapps.com/misc/grouping_flow_chart.png</A> </P> Thu, 03 Jan 2013 22:45:44 GMT https://community.splunk.com/t5/Splunk-Search/how-to-join-2-log-files-using-splunk/m-p/77073#M19497 sideview 2013-01-03T22:45:44Z https://community.splunk.com/t5/Splunk-Search/how-to-join-2-log-files-using-splunk/m-p/77074#M19498 <P>I will try this approach and update accordingly</P> Fri, 04 Jan 2013 05:42:31 GMT https://community.splunk.com/t5/Splunk-Search/how-to-join-2-log-files-using-splunk/m-p/77074#M19498 infyravi 2013-01-04T05:42:31Z