Trying to combine two logs .
Using this query to get a list of items from user log
source="/opt/mysplunk.log" earliest=-14days "logid=store-stuff" | eval storecode = substr(site,1,4) | top 3 storecode | FIELDS - count percent
that gives me a short list of
storecode
1 1234
2 6789
And the | FIELDS – count percent removes those extra fields so I just get my entries of 1234 6789
This also proves my substring is right because I’m catching the string I expect.
Now I try to feed that into a network log to catch possible related causes that show up there
source="/usr/local/nagios/var/nagios.log" earliest=-14days | join [ search source="/opt/mysplunk.log" earliest=-14days "logid=store-stuff" | eval storecode = substr(site,1,4) | top 3 storecode | FIELDS - count percent]
but the result seems to match 50k records that don’t have my identifiers of 1234 or 6789 in them .
What am I doing wrong or what debugging method in splunk do I use to figure out what it is really matching on? What is it actually piping through?
This is my first venture into join commands in splunk queries
... View more