suppose two log file have common field named IPaddress. One log file has username filed with that IPaddress field and another log has kernelno field associated with that IPaddress field. Based on IPaddress common field, can I search between two logs to find username and kernelno??
Not sure what you mean by relational in this case - if you search for a certain value of the IP address field without any other constraints, all events having that IP address value will show up, whether they belong to the log file with the username or the log file with the kernelno. If you want to cluster them together, you can use the
transaction command for creating a combined event (a transaction) from all events containing the same IP address. This transaction will include all the fields from the individual events it contains, so for instance if the fields in your case are called "ip_address", "username" and "kernelno" you could do:
... | transaction ip_address | table ip_address, username, kernelno
This would give you a table containing the username and kernelno for each IP address value. Is this what you want to achieve?
If you want to search two logs with same IPadress, the search syntax is like as bellow.
( sourcetype=logA OR sourcetype=logB ) AND IPaddress=xxx.xxx.xxx.xxx
If you want to correlate two logs, subsearch will be helpful. As for subsearch, please refer to following manual.