Solved: Re: How would I merge the events from two log file...

cal_dunigan · ‎03-18-2016

The logs are created by the same application and have the same fields.

What I am after is displaying the count of events from two hosts (of 10) as a single host in a timechart. This search breaks out authentications across 10 hosts, I want it to look like there are 9 hosts.

sourcetype=rsa_auth AUTHN_LOGIN_EVENT| timechart span=1d count by host

jhupka · ‎03-18-2016

You could do it in the search with an eval to merge the two hosts' data into one:

sourcetype=rsa_auth AUTHN_LOGIN_EVENT | eval host=if(host="serverA.foo.com" OR host="serverB.foo.com", "single_server.foo.com", host) | timechart span=1d count by host

View solution in original post

jhupka · ‎03-18-2016

You could do it in the search with an eval to merge the two hosts' data into one:

sourcetype=rsa_auth AUTHN_LOGIN_EVENT | eval host=if(host="serverA.foo.com" OR host="serverB.foo.com", "single_server.foo.com", host) | timechart span=1d count by host

How would I merge the events from two log files so that it appears as if coming from a single host?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How would I merge the events from two log files so that it appears as if coming from a single host?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!