Splunk Search

subsearch with two events

jayaraj1717
New Member

I have two different types of logs and like to combine both and shows Body message. eaxmple logs as below
Type1

date|Main=hostName:processName:primaryKey|msgDesc=Error timed out|Level=WARN|Body=Event trigered

Type2

date|Main=hostName:processName:primaryKey|Level=WARN|Body=<< TIMER TIMEOUT >>

Expecting result as in the table first two colums as date and primary key then remaining colums as Body messages from both logging types.

Date PrimaryKey << Body message from Type1>> << Body message from type2>>

Query used:

"msgDesc=Error timed out"| rex field=_raw "Main=\w+:\w+:(?<Primarykey>\w+)"| table Body,date

But this is not given me what i expected.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi jayaraj1717,
if you need to create a table with three columns:

  • Date
  • PrimaryKey
  • Body

where each event of first or second index is listed you could simply use the table command (if they are in two indexes)

index=index1 OR index=index2
| table Date PrimaryKey Body

If instead you want to group and count events for each Date and PrimaryKey you could use the stats command:

index=index1 OR index=index2
| stats values(Body) AS Body count BY Date PrimaryKey

if instead you want on the same row and on different columns Body1 and Body2, you have to use stats and eval commands

index=index1 OR index=index2
| eval Body1=if(index=index1,Body,""), Body2=if(index=index2,Body,"")
| stats values(Body1) AS Body1 values(Body2) AS Body2 BY Date PrimaryKey

Bye.
Giuseppe

0 Karma