Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

combining fields from two log entries which have a common id that is named differently

dreeck
Path Finder
‎08-31-2018 06:20 PM

Base,

How can I combine two log entries that share a common ID when the field name of the ID is different between both entries?

Currently I'm using re-name to change my field names into strings that don't contain "-" (eval seems to hate "-"),

rename v.my-very-long-field-name.rid AS rid
then eval to give the unique field names a single name, and transact:

eval request_id=if(isnull(rid), req, rid)
transaction request_id |

Last thing: I table values from both log entries. Seems like it should work great... but... it doesn't.
I end up with table entries containing values from 1 log entry or the other, not both.

Help me Obi Wan...

Tags (1)
0 Karma
Reply

knielsen
Contributor
‎09-04-2018 04:51 AM

It would be helpful to see what you are doing with the data, other than "table". Maybe your use case can be done with

sourcetype=A OR sourcetype=B
| rename your.very.long.field.name as rid
| eval request_id=coalesce(req, rid)
| stats <your logic> by request_id
| table your result
0 Karma
Reply

horsefez
Motivator
‎09-01-2018 11:08 AM

Hi my very young padawan,

as you did not provide enough sample data or your full query I have to write in pseudo code.
What I will try is introduce you to subsearches. You can find more information about them here:
http://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/Useasubsearch

index=logsource_A AND my-very-long-field-name.rid=* | rename my-very-long-field-name.rid AS rid
| join rid [search index=logsource_B AND rid=*]

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top