Splunk Search

How would I merge the events from two log files so that it appears as if coming from a single host?

cal_dunigan
New Member

The logs are created by the same application and have the same fields.

What I am after is displaying the count of events from two hosts (of 10) as a single host in a timechart. This search breaks out authentications across 10 hosts, I want it to look like there are 9 hosts.

sourcetype=rsa_auth AUTHN_LOGIN_EVENT| timechart span=1d count by host

Tags (1)
0 Karma
1 Solution

jhupka
Path Finder

You could do it in the search with an eval to merge the two hosts' data into one:

sourcetype=rsa_auth AUTHN_LOGIN_EVENT | eval host=if(host="serverA.foo.com" OR host="serverB.foo.com", "single_server.foo.com", host) | timechart span=1d count by host

View solution in original post

jhupka
Path Finder

You could do it in the search with an eval to merge the two hosts' data into one:

sourcetype=rsa_auth AUTHN_LOGIN_EVENT | eval host=if(host="serverA.foo.com" OR host="serverB.foo.com", "single_server.foo.com", host) | timechart span=1d count by host
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...