Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to join two log files in Splunk

alenseb
Communicator
‎09-03-2012 05:49 AM

Hi all,

I have to two sourcetypes(NetSweep_log & Radius_log), both of them have a common field called "FramedIP". How can i extract the rows which have this common field ??

Please help.
Thanks!!

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MHibbin
Influencer
‎09-03-2012 05:55 AM

So basically you will need to (and sorry if there is some repetition to what you have done, question is a little unclear) is...

Extract the fields for each sourcetype, with the easiest way being the IFX (Interactive Field eXtractor), alternatively using conf files.

Search those sourcetypes and you should have that field available in your Field Discovery panel (on the left). e.g....

(Soucetype=NetSweep_log OR sourcetype=Radius_log) | top FramedIP

Shoule be simple enough.

Hope this helps, if it doesn't please explain a little more

MHibbin

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MHibbin
Influencer
‎09-03-2012 05:55 AM

So basically you will need to (and sorry if there is some repetition to what you have done, question is a little unclear) is...

Extract the fields for each sourcetype, with the easiest way being the IFX (Interactive Field eXtractor), alternatively using conf files.

Search those sourcetypes and you should have that field available in your Field Discovery panel (on the left). e.g....

(Soucetype=NetSweep_log OR sourcetype=Radius_log) | top FramedIP

Shoule be simple enough.

Hope this helps, if it doesn't please explain a little more

MHibbin

0 Karma
Reply
Solved! Jump to solution

alenseb
Communicator
‎09-03-2012 11:42 PM

I tried this command, but it returns "0 matching events".
The logic seems to be correct though.
Is there any syntax we are missing?

0 Karma
Reply
Solved! Jump to solution

MHibbin
Influencer
‎09-03-2012 06:38 AM

If this answers your question please mark it as accepted (with the tick next to the answer), and if you are feeling generous you can also up-vote it. Thanks 🙂

0 Karma
Reply
Solved! Jump to solution

MHibbin
Influencer
‎09-03-2012 06:35 AM

So you want to use the values from the FramedIP field from the NetSweep_Log and use it search in the Radius Logs?

In that case you will need to use the subsearch feature, this will involve:

  1. Define you base search to gather field values (e.g. sourcetype=NetSweep_Log | top FramedIP)
  2. Append this to your main search, where you look at the Radius_log (e.g. sourcetype=Radius_log [search sourcetype=NetSweep_Log | top FramedIP | fields + FramedIP])

I'm assuming this is what you after. You should read docs here... http://docs.splunk.com/Documentation/Splunk/4.3.3/User/HowSubsearchesWork

Reply
Solved! Jump to solution

alenseb
Communicator
‎09-03-2012 06:10 AM

I guess this shows all the FramedIP from both the sourcetype.
But what i really need is All the data available in NetSweep_Log for FramedIP present in Radius_log.

I am new to Splunk. Sorry if its a stupid question.

Thanks!!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...