Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

combining two time stamped logs files into one single log file

gkhari
New Member
‎05-03-2016 02:36 PM

I have two time stamped logs - eventlog and syslog as follows
eventlog:
Apr 3 20:26:05 Event-1 Message-01
APR 3 20:26:10 Event-2 Message-02
Apr 3 20:30:42 Event-4 Message-03
Apr 3 20:31:56 Event-3 Message-04
Apr 3 20:32:16 Event-1 Message-05
....
....
syslog :
Apr 3 20:25:36 Module-x Message-xyz
Apr 3 20:26:30 Module-y Message-abc
Apr 3 20:31:36 Module-z Message-pqr
Apr 3 20:31:39 Module-y Message-uvw
.....
.....
How can I combine these two logs on timestamp to return something like
combined-log:

Apr 3 20:25:36 Module-x Message-xyz
Apr 3 20:26:05 Event-1 Message-01
APR 3 20:26:10 Event-2 Message-02
Apr 3 20:26:30 Module-y Message-abc
Apr 3 20:30:42 Event-4 Message-03
Apr 3 20:31:36 Module-z Message-pqr
Apr 3 20:31:39 Module-y Message-uvw
Apr 3 20:31:56 Event-3 Message-04
Apr 3 20:32:16 Event-1 Message-05
...

Tags (1)
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎05-03-2016 03:31 PM

Any search that returns all the events will, by default, do like you want.

So how do you find the first set? And how to you display the second set? Combine the two with an OR. I'm totally just guessing, but ...

index=eventlog OR index=syslog

If you have multiple criteria for each, you can use parentheses. A totally and completely made up example:

(sourcetype="stream:tcp" AND app=google_gen) OR sourcetype="stream:dns"

Give it a try! If you have problems, post a bit about how you get the results you DO get and we can give you more specific help.

0 Karma
Reply
The Latest From the Splunk Community!