Match the value in same fieldname on different log


Hi All,

I need to match two value from different logs but same field name. How can I do that?
Example I have Ironport where it has recipient field and exchange server behind it that has recipient field as well. I want make condition before I do the search where the recipient in ironport must be the same recipient in th exchange.
In database example it is quite easy where we can do table1.sender==table2.sender (tabel1 abd table2 is for ironport and exchange respectively)
How can i do it in splunk?

Please advise

Thank you

Tags (1)
0 Karma


Splunk has a join operation as well, but it is usually not the best performing approach.

For this example, you might find using Splunk transactions to be of use.



Thanks a lot. Unfortunately, it couldn't work for my case.
Anyway, it is a good link you gave me there.

Thanks again


0 Karma