Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to join two log files in Splunk

alenseb
Communicator
‎09-03-2012 05:49 AM

Hi all,

I have to two sourcetypes(NetSweep_log & Radius_log), both of them have a common field called "FramedIP". How can i extract the rows which have this common field ??

Please help.
Thanks!!

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MHibbin
Influencer
‎09-03-2012 05:55 AM

So basically you will need to (and sorry if there is some repetition to what you have done, question is a little unclear) is...

Extract the fields for each sourcetype, with the easiest way being the IFX (Interactive Field eXtractor), alternatively using conf files.

Search those sourcetypes and you should have that field available in your Field Discovery panel (on the left). e.g....

(Soucetype=NetSweep_log OR sourcetype=Radius_log) | top FramedIP

Shoule be simple enough.

Hope this helps, if it doesn't please explain a little more

MHibbin

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MHibbin
Influencer
‎09-03-2012 05:55 AM

So basically you will need to (and sorry if there is some repetition to what you have done, question is a little unclear) is...

Extract the fields for each sourcetype, with the easiest way being the IFX (Interactive Field eXtractor), alternatively using conf files.

Search those sourcetypes and you should have that field available in your Field Discovery panel (on the left). e.g....

(Soucetype=NetSweep_log OR sourcetype=Radius_log) | top FramedIP

Shoule be simple enough.

Hope this helps, if it doesn't please explain a little more

MHibbin

0 Karma
Reply
Solved! Jump to solution

alenseb
Communicator
‎09-03-2012 11:42 PM

I tried this command, but it returns "0 matching events".
The logic seems to be correct though.
Is there any syntax we are missing?

0 Karma
Reply
Solved! Jump to solution

MHibbin
Influencer
‎09-03-2012 06:38 AM

If this answers your question please mark it as accepted (with the tick next to the answer), and if you are feeling generous you can also up-vote it. Thanks 🙂

0 Karma
Reply
Solved! Jump to solution

MHibbin
Influencer
‎09-03-2012 06:35 AM

So you want to use the values from the FramedIP field from the NetSweep_Log and use it search in the Radius Logs?

In that case you will need to use the subsearch feature, this will involve:

  1. Define you base search to gather field values (e.g. sourcetype=NetSweep_Log | top FramedIP)
  2. Append this to your main search, where you look at the Radius_log (e.g. sourcetype=Radius_log [search sourcetype=NetSweep_Log | top FramedIP | fields + FramedIP])

I'm assuming this is what you after. You should read docs here... http://docs.splunk.com/Documentation/Splunk/4.3.3/User/HowSubsearchesWork

Reply
Solved! Jump to solution

alenseb
Communicator
‎09-03-2012 06:10 AM

I guess this shows all the FramedIP from both the sourcetype.
But what i really need is All the data available in NetSweep_Log for FramedIP present in Radius_log.

I am new to Splunk. Sorry if its a stupid question.

Thanks!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...