https://community.splunk.com/t5/Splunk-Search/Extract-data-from-2-different-logs/m-p/685954#M234051 <P>It works, thank you very much. One more thing, time filter isn't work, I mean if I set for 24H, search return logs for all time</P><P>&nbsp;</P> Tue, 30 Apr 2024 10:49:25 GMT chimuru84 2024-04-30T10:49:25Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-2-different-logs/m-p/685946#M234045 <P>Hello community!</P><P>I want to extract data from 2 different logs like bellow:</P><P>Log 1: 2024-04-28 06:38:51 INFO Start auth for accountId=1, ip=192.168.1.1</P><P>Log 2: 2024-04-28 06:38:27 INFO Collect response for accountId=1, was: response=FINISH</P><P>For example for accountId=1 I have 10 logs with "Start auth", I mean 10 attempts of start auth.</P><P>In second log, for the same accountId I have 1 or more logs with FINISH.</P><P>I want to make a table like</P><P>accountId&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Start auth&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; FINISH</P><P>1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;10&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;1</P><P>&nbsp;</P><P>Could you helm me with this?&nbsp;</P><P>Thank you.</P> Tue, 30 Apr 2024 09:34:58 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-2-different-logs/m-p/685946#M234045 chimuru84 2024-04-30T09:34:58Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-2-different-logs/m-p/685949#M234048 <P>Have you already extracted accountId and response? If response does not have any value (null) does the event come from log1? If so, you could try something like this</P><LI-CODE lang="markup">| eval state=coalesce(response, "Start auth") | chart count by accountId state</LI-CODE> Tue, 30 Apr 2024 10:08:43 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-2-different-logs/m-p/685949#M234048 ITWhisperer 2024-04-30T10:08:43Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-2-different-logs/m-p/685954#M234051 <P>It works, thank you very much. One more thing, time filter isn't work, I mean if I set for 24H, search return logs for all time</P><P>&nbsp;</P> Tue, 30 Apr 2024 10:49:25 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-2-different-logs/m-p/685954#M234051 chimuru84 2024-04-30T10:49:25Z https://community.splunk.com/t5/Splunk-Search/Extract-data-from-2-different-logs/m-p/685955#M234052 <P>This is a different question. Please start a new question with as much detail as possible.</P> Tue, 30 Apr 2024 10:51:54 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-2-different-logs/m-p/685955#M234052 ITWhisperer 2024-04-30T10:51:54Z