topic Re: How can I get the flieds of two logs by joining them? in Splunk Search

How can I get the flieds of two logs by joining them?

marina_rovira — Sun, 30 Nov 2014 18:08:54 GMT

Hi people,
I have a doubt. I've two logs with their own fields.
One of them is ldap-pre.log, that has this fields: IPclient, IPbalan, SNAT, whatM
And the other is debug.log and it has this flields: IPbalan, conn

I want some search that join this two logs, and show me, for each Ipclient, the conn (connection) that this IP has done. Like you see, IPbalan, its the same flied and values for both logs.
It tried somethings eval, transaction, stats, and I get all that the conn (connection) done, like serach something, bind, all the sentences, but I need to see the IPclient who did that connection.
Some help please?

Thank you all,
Marina

Re: How can I get the flieds of two logs by joining them?

musskopf — Sun, 30 Nov 2014 21:30:14 GMT

Hey Marina, give a try using the join command, something like that:

index=bla source=debug.log "your search" |
join type=left IPbalan [ search index=bla source=ldap-pre.log ]

Now the results should have the joined fields. Not that the join operation is case-sensitive - doesn't really matter for IPs but is good to be aware of that anyway... have a look on the Splunk Doc to see all join options.

Another option, if you ldap-pre.log is quite static, would be exporting your ldap-pre.log and converting it to a lookup table. Lookups are normally faster than joins.