How to create table from two different system logs...

sahiljindal339 · ‎10-10-2020

we have two system logs:

1. "Exception in fetching FR response for warehouse published with BusinessKey=XYZ"

2. "Sucessfully extract data for BusinessKeyValue='XYZ' "

i just want to create table [Time of log of First System , Time of Second System ]

where BusinessKey==BusinessKeyValue

richgalloway · ‎10-10-2020

It's not clear what the results should look like so you may need to modify this query.

(index=foo "Exception in fetching FR response for warehouse published with BusinessKey=*") OR (index=bar "Sucessfully extract data for BusinessKeyValue=*")
| eval key=coalesce(BusinessKey, BusinessKeyValue)
| eval firstTime=if(searchmatch("Exception in fetching FR response"),_time,NULL), secondTime=if(searchmatch("Sucessfully extract data"), _time, NULL)
| stats min(firstTime) as "Time of log of First System", min(secondTime) as "Time of Second System" by key

The coalesce function is used to produce a field common to both events since they don't share a field name. The stats command combines events based on their shared "key" field value.

---
If this reply helps you, Karma would be appreciated.

How to create table from two different system logs basis on some condition

administration

upgrade

using Splunk Enterprise

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?