Splunk Search

Does splunk's database support relational search??

keshab
Path Finder

suppose two log file have common field named IPaddress. One log file has username filed with that IPaddress field and another log has kernelno field associated with that IPaddress field. Based on IPaddress common field, can I search between two logs to find username and kernelno??

Tags (1)
0 Karma

Ayn
Legend

Not sure what you mean by relational in this case - if you search for a certain value of the IP address field without any other constraints, all events having that IP address value will show up, whether they belong to the log file with the username or the log file with the kernelno. If you want to cluster them together, you can use the transaction command for creating a combined event (a transaction) from all events containing the same IP address. This transaction will include all the fields from the individual events it contains, so for instance if the fields in your case are called "ip_address", "username" and "kernelno" you could do:

... | transaction ip_address | table ip_address, username, kernelno

This would give you a table containing the username and kernelno for each IP address value. Is this what you want to achieve?

Takajian
Builder

If you want to search two logs with same IPadress, the search syntax is like as bellow.

( sourcetype=logA OR sourcetype=logB ) AND IPaddress=xxx.xxx.xxx.xxx

If you want to correlate two logs, subsearch will be helpful. As for subsearch, please refer to following manual.

http://docs.splunk.com/Documentation/Splunk/4.2.4/User/HowSubsearchesWork

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...