Splunk Search

How would I merge the events from two log files so that it appears as if coming from a single host?

cal_dunigan
New Member

The logs are created by the same application and have the same fields.

What I am after is displaying the count of events from two hosts (of 10) as a single host in a timechart. This search breaks out authentications across 10 hosts, I want it to look like there are 9 hosts.

sourcetype=rsa_auth AUTHN_LOGIN_EVENT| timechart span=1d count by host

Tags (1)
0 Karma
1 Solution

jhupka
Path Finder

You could do it in the search with an eval to merge the two hosts' data into one:

sourcetype=rsa_auth AUTHN_LOGIN_EVENT | eval host=if(host="serverA.foo.com" OR host="serverB.foo.com", "single_server.foo.com", host) | timechart span=1d count by host

View solution in original post

jhupka
Path Finder

You could do it in the search with an eval to merge the two hosts' data into one:

sourcetype=rsa_auth AUTHN_LOGIN_EVENT | eval host=if(host="serverA.foo.com" OR host="serverB.foo.com", "single_server.foo.com", host) | timechart span=1d count by host
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...