Splunk Search

Joining two logs by two common fields and output the values as a table

rajadatta
New Member

Hi - I would like to join two logs and get specific result as table. I want to join by two common fields. Been working on getting this all day and need help.

so I have log 1 as below and want these values in a table

index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-device-category.log" | table DateStamp UserId
mailingid ttype DeviceInfo

I have log 2
index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-success.log"

The common fields I want to join by mailingid,UserId.

In this second log, I want to only return the field EMAIL

In the end I need including the first logs output and second logs output in a table

So looking for this

DateStamp UserId EMAIL mailingid ttype DeviceInfo

Thanks for any help, if more info is needed, I will gladly input them in this forum

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Try this:

(index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-device-category.log") OR (index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-success.log") | stats values(*) AS * BY mailingid,UserId | table DateStamp UserId EMAIL mailingid ttype DeviceInfo

View solution in original post

0 Karma

woodcock
Esteemed Legend

Try this:

(index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-device-category.log") OR (index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-success.log") | stats values(*) AS * BY mailingid,UserId | table DateStamp UserId EMAIL mailingid ttype DeviceInfo
0 Karma

rajadatta
New Member

Thank you for your help.

I was curious what to do when the second search does not have a common field to join on and ommitting those results.

So I specifically want to output when there is an actual join with both fields for the two searches.

Again appreciate the help.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...