Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

search 2 logfiles from same source, but different fields.

dbrooks_CIR
New Member
‎08-12-2021 02:46 PM

I have an index which contains data from many logfiles. I want to search for specific data in log1 and display  with field count from log2. Log1 has the url data (sites, page loads, etc) and log2 has the username,  with a common field X_Forwarded_For.  My search is below. I'm wanting to show a count based on username in log2  of all url clicks in log1. So far I have this:

index = iis-prod host = hostname source="logfile1" cs_uri_stem="*.aspx" NOT(/_layouts/*.aspx) NOT(/_forms/*.aspx) NOT(/_login/*.aspx) NOT X_Forwarded_For = 10.* | stats count by X_Forwarded_For |sort by count desc

Instead of displaying X_Forwarded_For from logfile1, I want to display the count with username from Logfile2. 

I'm sure i'm making this more complicated than it needs to be, I just can't get it cleared up. 

Labels (1)
Labels
0 Karma
Reply

renjith_nair
Legend
‎08-12-2021 11:01 PM

Please provide some sample events if possible.

In general, you should be able to combine them as

index = iis-prod host = hostname (source="logfile1" cs_uri_stem="*.aspx" NOT(/_layouts/*.aspx) NOT(/_forms/*.aspx) NOT(/_login/*.aspx) NOT X_Forwarded_For = 10.*)
   OR (source="logfile2" <conditions for logfile2)
 | stats count(username) by X_Forwarded_For |sort by count desc
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...