Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

subsearch with two events

jayaraj1717
New Member
‎05-29-2018 11:23 PM

I have two different types of logs and like to combine both and shows Body message. eaxmple logs as below
Type1

date|Main=hostName:processName:primaryKey|msgDesc=Error timed out|Level=WARN|Body=Event trigered

Type2

date|Main=hostName:processName:primaryKey|Level=WARN|Body=<< TIMER TIMEOUT >>

Expecting result as in the table first two colums as date and primary key then remaining colums as Body messages from both logging types.

Date PrimaryKey << Body message from Type1>> << Body message from type2>>

Query used:

"msgDesc=Error timed out"| rex field=_raw "Main=\w+:\w+:(?<Primarykey>\w+)"| table Body,date

But this is not given me what i expected.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-30-2018 05:44 AM

Hi jayaraj1717,
if you need to create a table with three columns:

  • Date
  • PrimaryKey
  • Body

where each event of first or second index is listed you could simply use the table command (if they are in two indexes)

index=index1 OR index=index2
| table Date PrimaryKey Body

If instead you want to group and count events for each Date and PrimaryKey you could use the stats command:

index=index1 OR index=index2
| stats values(Body) AS Body count BY Date PrimaryKey

if instead you want on the same row and on different columns Body1 and Body2, you have to use stats and eval commands

index=index1 OR index=index2
| eval Body1=if(index=index1,Body,""), Body2=if(index=index2,Body,"")
| stats values(Body1) AS Body1 values(Body2) AS Body2 BY Date PrimaryKey

Bye.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...