Solved: How would I merge the events from two log files so...

cal_dunigan · ‎03-18-2016

The logs are created by the same application and have the same fields.

What I am after is displaying the count of events from two hosts (of 10) as a single host in a timechart. This search breaks out authentications across 10 hosts, I want it to look like there are 9 hosts.

sourcetype=rsa_auth AUTHN_LOGIN_EVENT| timechart span=1d count by host

jhupka · ‎03-18-2016

You could do it in the search with an eval to merge the two hosts' data into one:

sourcetype=rsa_auth AUTHN_LOGIN_EVENT | eval host=if(host="serverA.foo.com" OR host="serverB.foo.com", "single_server.foo.com", host) | timechart span=1d count by host

View solution in original post

jhupka · ‎03-18-2016

You could do it in the search with an eval to merge the two hosts' data into one:

sourcetype=rsa_auth AUTHN_LOGIN_EVENT | eval host=if(host="serverA.foo.com" OR host="serverB.foo.com", "single_server.foo.com", host) | timechart span=1d count by host

How would I merge the events from two log files so that it appears as if coming from a single host?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

How would I merge the events from two log files so that it appears as if coming from a single host?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases