Correlate data between 2 seperate source and Alert on conditions


I want to correlate data between logs collected from 2 different sources and I want to alert when a condition is met. How can I create a search for this. Example:

Source 1 log output is: source1_ipaddress visiting_particular_url
Source 2 log output is: source2_ipaddress hostname username

I want to send email alert containing "username" from Source 2 whenever Source 1 logs the event AND source1_ipaddress=source2_ipaddress.
How can I do this? Will appreciate your response. Thanks.

Tags (1)
0 Karma


This is a duplicate question. It should be removed I believe.

0 Karma

New Member

I am also interested in doing something similar - I am particularly concerned with correlating an alert based off of 2 performance counters. For example: we would like to watch % processor time and available mbytes - should both breach certain conditions then send an alert to me.

Any help would be appreciated.

0 Karma


Its easy, index=blah counter=% processor time| eval CPU_Usage=value|join host[search index=blah counter=% available mbytes|eval Mem_Usage=value]| table host,CPU_Usage,Mem_Usage| where Condition|eval Status=if(CPU_Usage>50 AND Mem_Usage>(any value),"Warning","Critical")

Same goes for the above question.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!