I have to extract the same features from two sets of logs with very different formats and need to take the additional features into account to shortlist the logs. Let me explain the case with an example,
LOG_TYPE_1 || field_1 || field_2 || field_3............. || field_9
LOG_TYPE_2 || field_a || field_1 || field_2 || field_b || field_c || field_3...........|| field_9
I have to filter LOG_TYPE_2 | where field_a="type_a"
Now for both these I have to take Log_type, field_1, field_2, field_3, field_9 from both and then continue with the rest of the query in common.
For above case how can I create two rex/regex and do above Splunk query in a single search string (or most efficient manner) rather than the time consuming lengthy JOIN otherwise.
P.s. There are many other types of logs in the data. I only need to use the above 2 for the purpose.
... View more