How to join two log files with matching strings?

RichaSingh · ‎11-25-2014

Hi ,
I have a log file with series of DFS path. Another csv file with an array of strings (which I refer to as Qtree). I would like to do a string search for each value of the field Qtree. This is what I have tried:

index=qt | eval search_id=Qtree | join search_id type=inner [search source=C:\Users\risingh\Desktop\qtree\dfsback.txt $search_id$ | fields _raw ]

This shows no results found.
Can someone please help me with this string array search and joining the two results? I have been trying for a really long to make a way out, but couldn't .... need to get this sorted!

MuS · ‎12-13-2014

take a look at this: http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi... to get an idea how to get this done a different way .... because join should be a last resort .... not the first option to use

tachifelix · ‎12-12-2014

Try this
index=qt source=csvfile.csv |rename Qtree as search_id |join search_id type=inner [search source=C:\Users\risingh\Desktop\qtree\dfsback.txt $search_id$ | fields _raw ] ” or”index=qt source=csvfile.csv |join Qtree type=inner [search source=C:\Users\risingh\Desktop\qtree\dfsback.txt $ Qtree $ | fields _raw ]

vasanthmss · ‎11-25-2014

Try this,

search source=C:\Users\risingh\Desktop\qtree\dfsback.txt | [index=qt  | stats count by Qtree | table Qtree | rename Qtree as search | format ]

Sub search will gives you the list of Qtree's from 'qt'.
Overall search will gives you the _raw data from the sourcefile which are matching Qtree from qt index.

V

RichaSingh · ‎12-13-2014

Appreciate the response!
But I have already tired those.
Any other work around if anyone could direct me to ?

How to join two log files with matching strings?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies