Splunk Enterprise

combining two time stamped logs files into one single log file

New Member

I have two time stamped logs - eventlog and syslog as follows
eventlog:
Apr 3 20:26:05 Event-1 Message-01
APR 3 20:26:10 Event-2 Message-02
Apr 3 20:30:42 Event-4 Message-03
Apr 3 20:31:56 Event-3 Message-04
Apr 3 20:32:16 Event-1 Message-05
....
....
syslog :
Apr 3 20:25:36 Module-x Message-xyz
Apr 3 20:26:30 Module-y Message-abc
Apr 3 20:31:36 Module-z Message-pqr
Apr 3 20:31:39 Module-y Message-uvw
.....
.....
How can I combine these two logs on timestamp to return something like
combined-log:

Apr 3 20:25:36 Module-x Message-xyz
Apr 3 20:26:05 Event-1 Message-01
APR 3 20:26:10 Event-2 Message-02
Apr 3 20:26:30 Module-y Message-abc
Apr 3 20:30:42 Event-4 Message-03
Apr 3 20:31:36 Module-z Message-pqr
Apr 3 20:31:39 Module-y Message-uvw
Apr 3 20:31:56 Event-3 Message-04
Apr 3 20:32:16 Event-1 Message-05
...

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

Any search that returns all the events will, by default, do like you want.

So how do you find the first set? And how to you display the second set? Combine the two with an OR. I'm totally just guessing, but ...

index=eventlog OR index=syslog

If you have multiple criteria for each, you can use parentheses. A totally and completely made up example:

(sourcetype="stream:tcp" AND app=google_gen) OR sourcetype="stream:dns"

Give it a try! If you have problems, post a bit about how you get the results you DO get and we can give you more specific help.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!