I have the following 2 logs
DRT.log: This consists of the following log lines:
{"date_time":"20220823-13:11:11.622475033","severity":"INFO","dc":"DRT"}
{"date_time":"20220823-13:11:11.622475099","severity":"INFO","version":"1.1.1"}
{"date_time":"20220823-13:11:11.622475099","severity":"INFO","state":"running"}
And CME.log: This consists of the following logs lines:
{"date_time":"20220823-13:11:11.622475033","severity":"INFO","dc":"CME"}
{"date_time":"20220823-13:11:11.622475099","severity":"INFO","version":"2.2.2"}
{"date_time":"20220823-13:11:11.622475033","severity":"INFO","state":"down"}
The output I want to display is a table that looks like the following:
DataCenter Version State
DRT 1.1.1 running
CME 2.2.2 down
I have noticed that if I specify the explicit source file then them my search query works for that individual source. As example:
index=exc_md_qa sourcetype="ctc:md:tickerplant" source="/splunk_log/DRT.log" | spath | search severity="INFO" | dc, version, state | stats values(dc) as DataCenter latest(version) as Version latest(state) as State
This above search returns:
DataCenter Version State
DRT 1.1.1 running
And likewise if I replace the source with the other log file, I get this...
index=exc_md_qa sourcetype="ctc:md:tickerplant" source="/splunk_log/CME.log" | spath | search severity="INFO" | fields dc, version, state | stats values(dc) as DataCenter latest(version) as Version latest(state) as State
This search yields the following:
DataCenter Version State
CME 2.2.2 down
However if I run the search with a wildcard for the source, I only get partial results...
index=exc_md_qa sourcetype="ctc:md:tickerplant" source="/splunk_log/*.log" | spath | severity="INFO" | fields dc, version | stats values(dc) as DataCenter latest(version) as Version latest(state) as State
This yields the following (with missing data from DRT)
DataCenter Version State
CME 2.2.2 down
DRT
Or sorting by DataCenter then I don;t get the state at all...
index=exc_md_qa sourcetype="ctc:md:tickerplant" source="/splunk_log/*.log" | spath | severity="INFO" | fields dc, version | stats latest(version) as Version latest(state) as State by dc
This yields:
DataCenter Version State
CME 2.2.2
DRT 1.1.1
So the question is how do I combine them into one search. I think the brunt of the issue is tying the dc, state and version fields to the same source, but not sure how to do that
Any help is much appreciated!
To say this a different way... it is giving me the "latest" value of all logs combined; but really what I need is the "latest" value from each source file