https://community.splunk.com/t5/Splunk-Search/How-to-extract-if-log1-severity-6-then-what-is-the-severity-in/m-p/638640#M221303 <P>This may not give you what you want, but might be close to what you have asked for</P><LI-CODE lang="markup">| bin _time span=1s | chart latest(severity) by _time log</LI-CODE><P>&nbsp;</P> Tue, 04 Apr 2023 12:26:40 GMT ITWhisperer 2023-04-04T12:26:40Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-if-log1-severity-6-then-what-is-the-severity-in/m-p/638620#M221295 <P>Hi All,&nbsp;</P> <P>I'm searching 2 different logs, which contain the "Severity" as common field.</P> <P>I want to extract,&nbsp; if log1 - severity =6 then what is the severity in log2, at given point of time.</P> <P>Severity values will be 1-6 only</P> <P>Ex:</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Log1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Log2</P> <P>Severity&nbsp; &nbsp; &nbsp; &nbsp;6&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;3</P> <P>Kindly help on the same...</P> <P>Thank you</P> Tue, 04 Apr 2023 10:51:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-if-log1-severity-6-then-what-is-the-severity-in/m-p/638620#M221295 VijayA 2023-04-04T10:51:06Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-if-log1-severity-6-then-what-is-the-severity-in/m-p/638621#M221296 <P>What do you mean by "<SPAN>at given point of time"?</SPAN></P><P><SPAN>Assuming you already have the logs ingested into Splunk, there are most likely stored as a series of events. Hopefully, these events will have a timestamp which is extracted and tagged to event. Splunk can then process these events in a pipeline of events returned by a search. It is essentially processing one event at a time. In order to compare values from more than one event, they have to be brought together (often by a stats command), so that these stats events can be processed (one at a time).</SPAN></P><P><SPAN>How do you want to bring your events from the two logs together?</SPAN></P> Tue, 04 Apr 2023 10:11:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-if-log1-severity-6-then-what-is-the-severity-in/m-p/638621#M221296 ITWhisperer 2023-04-04T10:11:44Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-if-log1-severity-6-then-what-is-the-severity-in/m-p/638623#M221297 <P>Hi,</P><P>I already have logs in splunk from both log1 and log2 as events, they have timestamps as well</P><P>I do have 4 other fields in common and using JOIN to combine the fields.</P><P>but I'm unable to compare the if S=6 in Log1, what is the S value in Log2&nbsp;</P><P>Please provide some comparison steps.&nbsp;</P> Tue, 04 Apr 2023 10:21:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-if-log1-severity-6-then-what-is-the-severity-in/m-p/638623#M221297 VijayA 2023-04-04T10:21:20Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-if-log1-severity-6-then-what-is-the-severity-in/m-p/638627#M221298 <P>You haven't answered the central question - what do you mean by "given point of time"?</P> Tue, 04 Apr 2023 10:30:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-if-log1-severity-6-then-what-is-the-severity-in/m-p/638627#M221298 ITWhisperer 2023-04-04T10:30:34Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-if-log1-severity-6-then-what-is-the-severity-in/m-p/638629#M221299 <P><SPAN>"given point of time" means </SPAN></P><P><SPAN>ex: on&nbsp; 04/04/23 10:04:05 AM if log1 S=6, what is value of S in log2 at the same time.</SPAN></P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Log1&nbsp; &nbsp; &nbsp; &nbsp;Log2</P><P>Severity&nbsp; &nbsp; &nbsp; &nbsp; 6&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 3</P> Tue, 04 Apr 2023 10:35:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-if-log1-severity-6-then-what-is-the-severity-in/m-p/638629#M221299 VijayA 2023-04-04T10:35:08Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-if-log1-severity-6-then-what-is-the-severity-in/m-p/638634#M221301 <P>So, if you have an event in log 1 at&nbsp;<SPAN>04/04/23 10:04:05 AM, are you expecting there to be an event in log 2 at exactly the same time? Down the second, or even millisecond?</SPAN></P> Tue, 04 Apr 2023 11:05:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-if-log1-severity-6-then-what-is-the-severity-in/m-p/638634#M221301 ITWhisperer 2023-04-04T11:05:34Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-if-log1-severity-6-then-what-is-the-severity-in/m-p/638637#M221302 <P>Yes,&nbsp;<SPAN>Down the second, will be good</SPAN></P> Tue, 04 Apr 2023 11:34:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-if-log1-severity-6-then-what-is-the-severity-in/m-p/638637#M221302 VijayA 2023-04-04T11:34:23Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-if-log1-severity-6-then-what-is-the-severity-in/m-p/638640#M221303 <P>This may not give you what you want, but might be close to what you have asked for</P><LI-CODE lang="markup">| bin _time span=1s | chart latest(severity) by _time log</LI-CODE><P>&nbsp;</P> Tue, 04 Apr 2023 12:26:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-if-log1-severity-6-then-what-is-the-severity-in/m-p/638640#M221303 ITWhisperer 2023-04-04T12:26:40Z