Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Joining two log files that have two common fields

karthicjayarama
New Member
‎11-16-2014 09:12 PM

Hello,

It would be very helpful for me if you could find out the solution for the following scenario.

SELECT * FROM mytable1 INNER JOIN mytable2 ON mytable1.mycolumn=mytable2.mycolum and mytable1.mycolumn1=mytable2.mycolum1

Please advice on this.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎11-17-2014 12:20 AM

Hi karthicjayaraman,

Try something like this:

your search to get Log1 OR LOG2 events | eval compare=data + "-" + status | stats count by compare, data, result, status | fields - compare

hope that helps to get you started...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎11-17-2014 12:20 AM

Hi karthicjayaraman,

Try something like this:

your search to get Log1 OR LOG2 events | eval compare=data + "-" + status | stats count by compare, data, result, status | fields - compare

hope that helps to get you started...

cheers, MuS

Reply
Solved! Jump to solution

acharlieh
Influencer
‎11-16-2014 10:46 PM

Could you be more specific about your exact scenario? You list a SQL query, but Splunk itself is not a relational database. There is a DBConnect app that allows Splunk to consume data from RDBMSes using SQL. Are you asking about that? Or are you using your query as the type of thing you're looking to do with logs stored in Splunk? Depending on your end goal and the data you are trying to relate, there are a number of SPL commands that can be used to correlate data across events (including but not limited to the SPL join command. The docs even have a nice flowchart with some examples as to under what conditions you might consider using a few of th...

0 Karma
Reply
Solved! Jump to solution

karthicjayarama
New Member
‎11-17-2014 12:06 AM

Hello Acharlieh,

Thanks for your reply . I have two log files with me called log1 and log2. I have to join those 2 logs with common fields (2 unique Fields) .

Log1 Sample

data=demo result=pass status=12345
data=required result=fail status=123

Log2 Sample

data=demo result=abort status=12345
data=info result=denied status=123

I would like to create the search query if the log1 data and status matched to Log2.

Here the problem is I have to match 2 common fields (data and Status ) .Could you please guide me on this.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top