×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
tva000
Observer
Member since: ‎09-07-2021
‎09-08-2021
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-07-2021
Activity Feed
View All

Joining two files with derived field

by in Splunk Search
‎09-07-2021 10:39 AM
‎09-07-2021 10:39 AM
Greetings, I am very new to Splunk and I am sure my question may have been asked multiple times.  I went through multiple articles but unable to get the answers.  It may be very simple for experts. I have two files and need to frame a query to join the log file with another log file, which are both *.json files File1.json "lvl": "DEBUG" "msg": "JobID 123456789012345678901234567890123456789012345678901234567890 completed with state: Failed" "ts": "2021-09-07T16:50:21.901Z" File2.json "JobName":"Lambda Handler" "Ruuid": "123456789012345678901234567890123456789012345678901234567890" My requirement is to parse File1.json and extract the JobID number alone, in this case 1234....0 and join this derived field with Ruuid in File2.json to form a end result like this JobName,JobID,msg Lambda Handler,123456789012345678901234567890123456789012345678901234567890,JobID 123456789012345678901234567890123456789012345678901234567890 completed with state: Failed I used substring to extract the JobID from File1 with this, but I am not sure how to use this derived field "Ruuid" to join with file 2 Ruuid index=* | source="File1.json" msg = *"completed with state:" | table msg | eval Ruuid = substr(msg,6,62) | Any inputs would be really helpful to me. Thanks. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-08-2021 11:55 PM