Splunk Dev

How do you combine two different searches with two different sources?

New Member


I am attempting to use Splunk to search two log files that hold activity for two platforms of an application "IOS" & "Android".
The log file for each platform unfortunately uses a different identifier for login behavior.

I would like to combine both searches into one.

Currently each of my searches look like the following (some filters are the same)

> index=I1 source=S1 sourcetype=ST1 host=H1 "searchCriteria1"earliest=-1hr latest=now | timechart span=5m count by host
> index=I2 source=S2 sourcetype=ST1 host=H1 "searchCriteria2" earliest=-1hr latest=now | timechart span=5m count by host

I would like to have the result displayed as follows; total, android and ios.

I am using the JAVA API to splunk, so as long as I can differentiate Android from IOS on the response, that is ok.

Time | Total Logins | Android Logins | IOS Logins
01:00 | 10 | 8 | 2
02:00 | 15 | 10 | 5

I have looked into "multiSearch" and "subsearches" but I am new to using Splunk and do not know exactly what I am trying to do.

Any help is greatly appreciated!

Thank you,

EDIT: Considering I can differentiate between each platform via "source", the following query does produce a correct result, although I'm unsure if its the correct way. Is there a better way to obtain the following:

(index=jboss source=/var/log/jboss/server.log sourcetype=jboss:server:log host="lblux31*" "NewState showDashboard PreviousState checkIfActiveCustomer") 
(index=jboss-mobile source=/var/log/jboss-mobile/server.log sourcetype=jboss:server:log host="lblux31*" "[EVENT]login") earliest=-1hr latest=now
| bucket _time span=5m 
| stats count by _time, source, host 
| sort - Time
Tags (2)
0 Karma

New Member

I found the following worked for me.
Keypoints being the use of "OR" to separate the queries and "bucket" to divide the data

 (index=jboss source=/var/log/jboss/server.log sourcetype=jboss:server:log host="lblux31*" "NewState showDashboard PreviousState checkIfActiveCustomer") 
 (index=jboss-mobile source=/var/log/jboss-mobile/server.log sourcetype=jboss:server:log host="lblux31*" "[EVENT]login") earliest=-1hr latest=now
 | bucket _time span=5m 
 | stats count by _time, source, host 
 | sort - Time
0 Karma


Yes this was shown to you as a solution.. Not sure why you're taking credit for solutions others provided, but might as well close it out....

0 Karma

Esteemed Legend

The solution in your update is A-OK.

0 Karma


Looks like you've solved your problem. The only change I'd make is | bucket span=1h _time.

Put your edit into an answer and accept it.

If this reply helps you, Karma would be appreciated.
0 Karma


Sometimes I ask myself why do I even contribute when most users don't even bother to accept the answer after using the solution provided

0 Karma

New Member

@skoelpin No one has posted a solution that I have used yet

0 Karma


You're question was how to combine 2 different searches with different sources. You have 2 solutions which you used and said it works.. You have not responded back or clarified what doesn't work.. What didn't get answered??

0 Karma

New Member

@skoelpin can you relax? The solution I'm using at the moment is the one I created. The first solution you posted does not work. The second solution let me know how to use the eval function which I am using. Why are you so agitated? I did not respond because like you I'm in work and didn't have time to respond within 24 hours... fucking hell

0 Karma

New Member

@richgalloway I need the data structured at small intervals, that is why I was using span=5m over an hour period. Mainly because I would like to chart the output

0 Karma

Revered Legend

Try like this (check eval command to ensure the mapping of source is correct)

index=jboss source=/var/log/jboss/server.log sourcetype=jboss:server:log host="lblux31*" "NewState showDashboard PreviousState checkIfActiveCustomer") 
 (index=jboss-mobile source=/var/log/jboss-mobile/server.log sourcetype=jboss:server:log host="lblux31*" "[EVENT]login") earliest=-1hr latest=now
| eval type=if(source="/var/log/jboss/server.log","Android","IOS")
 | timechart span=5m count by type
| eval "Total Logins"=Android + IOS
0 Karma

New Member

Thanks, the eval command looks useful - I was doing this mapping afterwards using Java, but your solution looks a lot better.

0 Karma


Try this

(index=I1 source=S1 sourcetype=ST1 host=H1) OR (index=I2 source=S2 sourcetype=ST1 host=H1)
  ("searchCriteria1") OR ( "searchCriteria2")  earliest=-1hr latest=now
| timechart span=5m count by host
0 Karma

New Member

Unfortunately I can't use timechart because I need to groupBy multiple fields. "stats count by" looks to be what I require.

0 Karma


Then use stats... What's the issue?

(index=I1 source=S1 sourcetype=ST1 host=H1) OR (index=I2 source=S2 sourcetype=ST1 host=H1)
   ("searchCriteria1") OR ( "searchCriteria2")  earliest=-1hr latest=now
| bin _time span=5m
| stats  count by host, <OTHER FIELD>
0 Karma

New Member

There is no issue, I am using stats. I left a comment to say why I disagreed with your solution, would you rather I didnt comment at all?

I am using stats, as seen by initial edit in the question - BEFORE you commented this answer

0 Karma


So what part of your original question did we not answer?

0 Karma
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...