Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract,  if log1 - severity =6 then what is the severity in log2, at given point of time?

VijayA
Explorer
‎04-04-2023 03:01 AM

Hi All, 

I'm searching 2 different logs, which contain the "Severity" as common field.

I want to extract,  if log1 - severity =6 then what is the severity in log2, at given point of time.

Severity values will be 1-6 only

Ex:

                        Log1                                 Log2

Severity       6                                           3

Kindly help on the same...

Thank you

Labels (4)
Labels
0 Karma
Reply

VijayA
Explorer
‎04-04-2023 03:35 AM

"given point of time" means

ex: on  04/04/23 10:04:05 AM if log1 S=6, what is value of S in log2 at the same time.

                          Log1       Log2

Severity        6                  3

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-04-2023 04:05 AM

So, if you have an event in log 1 at 04/04/23 10:04:05 AM, are you expecting there to be an event in log 2 at exactly the same time? Down the second, or even millisecond?

0 Karma
Reply

VijayA
Explorer
‎04-04-2023 04:34 AM

Yes, Down the second, will be good

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-04-2023 05:26 AM

This may not give you what you want, but might be close to what you have asked for

| bin _time span=1s
| chart latest(severity) by _time log

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-04-2023 03:11 AM

What do you mean by "at given point of time"?

Assuming you already have the logs ingested into Splunk, there are most likely stored as a series of events. Hopefully, these events will have a timestamp which is extracted and tagged to event. Splunk can then process these events in a pipeline of events returned by a search. It is essentially processing one event at a time. In order to compare values from more than one event, they have to be brought together (often by a stats command), so that these stats events can be processed (one at a time).

How do you want to bring your events from the two logs together?

0 Karma
Reply

VijayA
Explorer
‎04-04-2023 03:21 AM

Hi,

I already have logs in splunk from both log1 and log2 as events, they have timestamps as well

I do have 4 other fields in common and using JOIN to combine the fields.

but I'm unable to compare the if S=6 in Log1, what is the S value in Log2 

Please provide some comparison steps. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-04-2023 03:30 AM

You haven't answered the central question - what do you mean by "given point of time"?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...