Correlate data between 2 seperate source and Alert on conditions


I want to correlate data between logs collected from 2 different sources and I want to alert when a condition is met. How can I create a search for this. Example:

Source 1 log output is: source1_ipaddress visiting_particular_url
Source 2 log output is: source2_ipaddress hostname username

I want to send email alert containing "username" from Source 2 whenever Source 1 logs the event AND source1_ipaddress=source2_ipaddress.
How can I do this? Will appreciate your response. Thanks.

Tags (1)
0 Karma


This is a duplicate question. It should be removed I believe.

0 Karma

New Member

I am also interested in doing something similar - I am particularly concerned with correlating an alert based off of 2 performance counters. For example: we would like to watch % processor time and available mbytes - should both breach certain conditions then send an alert to me.

Any help would be appreciated.

0 Karma


Its easy, index=blah counter=% processor time| eval CPU_Usage=value|join host[search index=blah counter=% available mbytes|eval Mem_Usage=value]| table host,CPU_Usage,Mem_Usage| where Condition|eval Status=if(CPU_Usage>50 AND Mem_Usage>(any value),"Warning","Critical")

Same goes for the above question.

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!