Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Reading same field from multiple log files

hegdevageesh
New Member
‎04-07-2020 05:50 AM

I have 2 log files from different sources. Both log files have statements either indicating a "Transaction-Start" or "Transaction-End" . "EPOCH" is a field common in both log files indicating the timestamp of either start or end of a transaction.

Now I want to write a query that fetches EPOCH of "Transaction-Start" from log file 1, call it as, say start and EPOCH of "Transaction-End" from log file 2, call it as, say end. Following this, I want to find the difference between end and start and display only those logs with a difference higher than a threshold, say 10000

What I have tried writing is below :

index=someIndex ENVIRONMENT="someEnv" (source="/log/source1.log" "Transaction-Start" "EPOCH" as start) OR (source="/log/source2.log" "Transaction-End" "EPOCH" as end) 
    | eval difference=end-start 
    | where difference>10000

But this is not working. Looking for help in composing this search in the right way.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-07-2020 06:28 AM

Try this. It assumes EPOCH is an integer. If it isn't then you'll need to use strptime to convert it into an integer.

index=someIndex ENVIRONMENT="someEnv" EPOCH=* (source="/log/source1.log" "Transaction-Start") OR (source="/log/source2.log" "Transaction-End") 
| eval start = if(source="/log/source1.log", EPOCH, null()), end = if (source="/log/source2.log", EPOCH, null())
| stats values(*) as * by TXID
| eval difference=end-start 
| where difference>10000
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-07-2020 06:28 AM

Try this. It assumes EPOCH is an integer. If it isn't then you'll need to use strptime to convert it into an integer.

index=someIndex ENVIRONMENT="someEnv" EPOCH=* (source="/log/source1.log" "Transaction-Start") OR (source="/log/source2.log" "Transaction-End") 
| eval start = if(source="/log/source1.log", EPOCH, null()), end = if (source="/log/source2.log", EPOCH, null())
| stats values(*) as * by TXID
| eval difference=end-start 
| where difference>10000
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-07-2020 06:08 AM

One cannot rename fields in a base search (the part before the first |). That's done using eval or rename.
Also, since the start and end times are in separate events, you will not find both 'start' and 'end' together. The starting and ending events must be combined via some common field. Is there a transaction ID or other field that can be used to join the two events?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

hegdevageesh
New Member
‎04-07-2020 06:13 AM

@richgalloway, yes, there is a "TXID" field that is common field in both log files.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...