Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Join result of two queries with common field ?

ayush8878
New Member
‎12-03-2019 06:31 PM

Hi,

I have a use case where i need to join result of two septate logs on the basis of common field(breadcrumbId).
Below is the query i used but i am not getting any results for this query 

source="/opt/jboss/jboss-fuse/data/log/access_log" OR "/opt/jboss/jboss-fuse/data/log/fuse.log" ("Audience value in the JWT is*" OR ("path=/rest/cases/" "filename*=")) | stats values(*) as * by breadcrumbId | table breadcrumbId AccessedFrom

While if I try separately I am getting results

Query 1:source="/opt/jboss/jboss-fuse/data/log/fuse.log" "Audience value in the JWT is" | table breadcrumbId AccessedFrom 
Query 2:source="/opt/jboss/jboss-fuse/data/log/access_log" (("path=/rest/cases/" "filename*=")) | stats values(*) as * by breadcrumbId filename
0 Karma
Reply

woodcock
Esteemed Legend
‎12-03-2019 09:46 PM

It must be that the first source has no events with values for filename so leave it in the values(*) pile like this:

index="YouShouldAlwaysSpecifyAnIndex" AND
((source="/opt/jboss/jboss-fuse/data/log/fuse.log" AND "Audience value in the JWT is") OR
(source="/opt/jboss/jboss-fuse/data/log/access_log" AND "path=/rest/cases/" AND "filename*="))
| stats values(*) AS * BY breadcrumbId
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎12-03-2019 06:39 PM

Hi ayush8878,

try this:

( source="/opt/jboss/jboss-fuse/data/log/fuse.log" "Audience value in the JWT is" ) OR ( source="/opt/jboss/jboss-fuse/data/log/access_log" ("path=/rest/cases/" "filename*=")) 
| eval filename=if(isnotnull(filename), filename, "none") 
| stats values(*) AS * by breadcrumbid filename

Hope this helps ...

cheers, MuS

0 Karma
Reply

ayush8878
New Member
‎12-03-2019 07:05 PM

Thanks MuS but this way I am getting resuls only from fuse.log while I need data from access.log and fuse.log merged on breadcrumbid

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎12-04-2019 12:27 PM

Okay, looking at the second search on the access_log you use "filename*=" so you don't actually search for a field called filename. The first thing you need to do here is create a field called filename and then it will work. Assuming the filename* thingy does not contain any spaces, try this:

( source="/opt/jboss/jboss-fuse/data/log/fuse.log" "Audience value in the JWT is" ) OR ( source="/opt/jboss/jboss-fuse/data/log/access_log" ("path=/rest/cases/" "filename*=")) 
 | rex "filename[^=]*=(?<filename>[^\s]+)" 
 | eval filename=if(isnotnull(filename), filename, "none") 
 | stats values(*) AS * by breadcrumbid filename

Hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...