Splunk Search

Combine output of 2 logs with only 1 key

Explorer

Hey,

I try to figure out if it is possible to have splunk to build a result for my special needings:

I have 2 different log types. In the first one I find a ANI=1234@, with that specific phone number i can find in the second log a new call-ref-id in a way like "call ref=[f13409]".

What I want is to input into the search the phone number, have splunk search it and give an output with combined information of both logs. So it has to find on nearly same timestamp the belonging call ref and then show me all information from both logs.

May this be possible?

Hope to made it clear enough..

Tags (1)
0 Karma
1 Solution

Legend

I imagine you could achieve what you want if you have your field extractions setup so that there is a common name for the fields containing the telephone number. So let's say you've called this field "telephone_number" and that the call-ref-field is called "call_ref". In that case something like this should work:

telephone_number=<yoursearch> | stats list(call_ref) by telephone_number

This gives you a list of all values of call_ref linked to a specific telephone number.

View solution in original post

Legend

I imagine you could achieve what you want if you have your field extractions setup so that there is a common name for the fields containing the telephone number. So let's say you've called this field "telephone_number" and that the call-ref-field is called "call_ref". In that case something like this should work:

telephone_number=<yoursearch> | stats list(call_ref) by telephone_number

This gives you a list of all values of call_ref linked to a specific telephone number.

View solution in original post

Legend

There are a number of ways to do this, but the easiest thing would be to create a field extraction that omits the leading 0. If you search for metrics_ani= otherwise you won't get a match on the events without the leading 0. So, by having a field extraction that extracts the same value in both logs makes sure that you're catching all valid events in your initial search.

0 Karma

Explorer

i have built a field extraction called "metrics_ani" which extracts the number.
but in my second log, this phone number is used without its leading 0 (german dial-out).
further on it is not used in the same surrounding like it is in my first log.

First Log (metrics_ani)
[ANI: sip:number@..
metrics_ani extracts number here correctly.

Is it now possible to transform that number pattern to delete the leading 0 and give it to stats list(call_ref) by metrics_ani= or do I need to make a new field extract for the sort by ?

0 Karma

Legend

You could use transaction for this as well.

0 Karma