Hi All, I need to match two value from different logs but same field name. How can I do that? Example I have Ironport where it has recipient field and exchange server behind it that has recipient field as well. I want make condition before I do the search where the recipient in ironport must be the same recipient in th exchange. In database example it is quite easy where we can do table1.sender==table2.sender (tabel1 abd table2 is for ironport and exchange respectively) How can i do it in splunk? Please advise Thank you ... View more

Hi I have quite number of Linux machine and I have sent their logs to my Splunk. The scenario is I would like to get the table similar like below: Hostname Errors Warnings HostA 4 4 HostB 44 1 I twisted my brain to do this since I am new to Splunk. Not like Windows, Windows log has Type field, where Linux log messages never categorize the log criticality. So I need to do my self. This is the one that I do: sourcetype="messages" fail | stats count as fails by host | join host [search sourcetype="messages" error | stats count as errs by host] | stats values(fails), values(errs) by host | rename values(fails) as Failures | rename values(errs) as Errors | rename host as Hostname It works and I can put in the table. But, When I click it, it will come out with no result. Is ther any better way? or is there a way to put html link below my table on my dashboard, for example, drilldown. So user can just click that one and I can turn of the drilldown in the table. Please help Thanks a lot ... View more