Splunk Search

Does splunk's database support relational search??

keshab
Path Finder

suppose two log file have common field named IPaddress. One log file has username filed with that IPaddress field and another log has kernelno field associated with that IPaddress field. Based on IPaddress common field, can I search between two logs to find username and kernelno??

Tags (1)
0 Karma

Ayn
Legend

Not sure what you mean by relational in this case - if you search for a certain value of the IP address field without any other constraints, all events having that IP address value will show up, whether they belong to the log file with the username or the log file with the kernelno. If you want to cluster them together, you can use the transaction command for creating a combined event (a transaction) from all events containing the same IP address. This transaction will include all the fields from the individual events it contains, so for instance if the fields in your case are called "ip_address", "username" and "kernelno" you could do:

... | transaction ip_address | table ip_address, username, kernelno

This would give you a table containing the username and kernelno for each IP address value. Is this what you want to achieve?

Takajian
Builder

If you want to search two logs with same IPadress, the search syntax is like as bellow.

( sourcetype=logA OR sourcetype=logB ) AND IPaddress=xxx.xxx.xxx.xxx

If you want to correlate two logs, subsearch will be helpful. As for subsearch, please refer to following manual.

http://docs.splunk.com/Documentation/Splunk/4.2.4/User/HowSubsearchesWork

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...