Base,
How can I combine two log entries that share a common ID when the field name of the ID is different between both entries?
Currently I'm using re-name to change my field names into strings that don't contain "-" (eval seems to hate "-"),
rename v.my-very-long-field-name.rid AS rid
then eval to give the unique field names a single name, and transact:eval request_id=if(isnull(rid), req, rid)
transaction request_id |
Last thing: I table values from both log entries. Seems like it should work great... but... it doesn't.
I end up with table entries containing values from 1 log entry or the other, not both.
Help me Obi Wan...
It would be helpful to see what you are doing with the data, other than "table". Maybe your use case can be done with
sourcetype=A OR sourcetype=B
| rename your.very.long.field.name as rid
| eval request_id=coalesce(req, rid)
| stats <your logic> by request_id
| table your result
Hi my very young padawan,
as you did not provide enough sample data or your full query I have to write in pseudo code.
What I will try is introduce you to subsearches. You can find more information about them here:
http://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/Useasubsearch
index=logsource_A AND my-very-long-field-name.rid=* | rename my-very-long-field-name.rid AS rid
| join rid [search index=logsource_B AND rid=*]