Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

matching events across different logs

snickers314
New Member
‎12-20-2010 04:24 PM

Hi, I need to match events across different logs. I believe that this should be done using transactions, but I'm not able to get it to work. My scenario is as follows:

  • Log A: has info about users logging into System A
  • Log B: has info about users logging into System B

If a user appears in one, it should have a companion entry in the other.

I need to find all users that logged to one, but not the other.

Individually, I can find users in each log by doing a simple:

search index=indexA userName

but I can't find a way of saying "once you find it in indexA, look for it in indexB, and alert me if you can't"

Any advice is greatly appreciate.

Tags (1)
0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎12-20-2010 04:50 PM

You probably want to use a sub search that pulls the user id and matches (or NOT) across the other file. To do this:

  1. Create a field extraction for the userid in Log A & B. The field name should be exactly the same in both extractions.

  2. Search for all users that logged into System A and output only the userids. Similar to:

    source=Log_A user_logged_in | fields userid

  3. Use the latter search as the subsearch to find log ins for Log B. You must make sure the a field extraction exists for userid in Log B, otherwise the values passed from the subsearch won't match anything. Similar to:

    source=Log_B [search source=Log_A user_logged_in | fields userid]

So, the above search should find all users that logged in to System A & B. To find users that have not logged into both, you should be able to NOT the sub search.

source=Log_B NOT [search source=Log_A user_logged_in | fields userid]
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...