Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract,  if log1 - severity =6 then what is the severity in log2, at given point of time?

VijayA
Explorer
‎04-04-2023 03:01 AM

Hi All, 

I'm searching 2 different logs, which contain the "Severity" as common field.

I want to extract,  if log1 - severity =6 then what is the severity in log2, at given point of time.

Severity values will be 1-6 only

Ex:

                        Log1                                 Log2

Severity       6                                           3

Kindly help on the same...

Thank you

Labels (4)
Labels
0 Karma
Reply

VijayA
Explorer
‎04-04-2023 03:35 AM

"given point of time" means

ex: on  04/04/23 10:04:05 AM if log1 S=6, what is value of S in log2 at the same time.

                          Log1       Log2

Severity        6                  3

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-04-2023 04:05 AM

So, if you have an event in log 1 at 04/04/23 10:04:05 AM, are you expecting there to be an event in log 2 at exactly the same time? Down the second, or even millisecond?

0 Karma
Reply

VijayA
Explorer
‎04-04-2023 04:34 AM

Yes, Down the second, will be good

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-04-2023 05:26 AM

This may not give you what you want, but might be close to what you have asked for

| bin _time span=1s
| chart latest(severity) by _time log

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-04-2023 03:11 AM

What do you mean by "at given point of time"?

Assuming you already have the logs ingested into Splunk, there are most likely stored as a series of events. Hopefully, these events will have a timestamp which is extracted and tagged to event. Splunk can then process these events in a pipeline of events returned by a search. It is essentially processing one event at a time. In order to compare values from more than one event, they have to be brought together (often by a stats command), so that these stats events can be processed (one at a time).

How do you want to bring your events from the two logs together?

0 Karma
Reply

VijayA
Explorer
‎04-04-2023 03:21 AM

Hi,

I already have logs in splunk from both log1 and log2 as events, they have timestamps as well

I do have 4 other fields in common and using JOIN to combine the fields.

but I'm unable to compare the if S=6 in Log1, what is the S value in Log2 

Please provide some comparison steps. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-04-2023 03:30 AM

You haven't answered the central question - what do you mean by "given point of time"?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...