Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Joining two logs by two common fields and output the values as a table

rajadatta
New Member
‎06-10-2015 06:20 PM

Hi - I would like to join two logs and get specific result as table. I want to join by two common fields. Been working on getting this all day and need help.

so I have log 1 as below and want these values in a table

index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-device-category.log" | table DateStamp UserId
mailingid ttype DeviceInfo

I have log 2
index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-success.log"

The common fields I want to join by mailingid,UserId.

In this second log, I want to only return the field EMAIL

In the end I need including the first logs output and second logs output in a table

So looking for this

DateStamp UserId EMAIL mailingid ttype DeviceInfo

Thanks for any help, if more info is needed, I will gladly input them in this forum

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-10-2015 08:08 PM

Try this:

(index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-device-category.log") OR (index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-success.log") | stats values(*) AS * BY mailingid,UserId | table DateStamp UserId EMAIL mailingid ttype DeviceInfo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-10-2015 08:08 PM

Try this:

(index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-device-category.log") OR (index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-success.log") | stats values(*) AS * BY mailingid,UserId | table DateStamp UserId EMAIL mailingid ttype DeviceInfo
0 Karma
Reply
Solved! Jump to solution

rajadatta
New Member
‎06-12-2015 10:20 AM

Thank you for your help.

I was curious what to do when the second search does not have a common field to join on and ommitting those results.

So I specifically want to output when there is an actual join with both fields for the two searches.

Again appreciate the help.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...