Splunk Search

combining fields from two log entries which have a common id that is named differently

dreeck
Path Finder

Base,

How can I combine two log entries that share a common ID when the field name of the ID is different between both entries?

Currently I'm using re-name to change my field names into strings that don't contain "-" (eval seems to hate "-"),

rename v.my-very-long-field-name.rid AS rid
then eval to give the unique field names a single name, and transact:

eval request_id=if(isnull(rid), req, rid)
transaction request_id |

Last thing: I table values from both log entries. Seems like it should work great... but... it doesn't.
I end up with table entries containing values from 1 log entry or the other, not both.

Help me Obi Wan...

Tags (1)
0 Karma

knielsen
Contributor

It would be helpful to see what you are doing with the data, other than "table". Maybe your use case can be done with

sourcetype=A OR sourcetype=B
| rename your.very.long.field.name as rid
| eval request_id=coalesce(req, rid)
| stats <your logic> by request_id
| table your result
0 Karma

horsefez
Motivator

Hi my very young padawan,

as you did not provide enough sample data or your full query I have to write in pseudo code.
What I will try is introduce you to subsearches. You can find more information about them here:
http://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/Useasubsearch

index=logsource_A AND my-very-long-field-name.rid=* | rename my-very-long-field-name.rid AS rid
| join rid [search index=logsource_B AND rid=*]

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...