Let's say we have the following 3 logs sources:
request.log :
timestamp id=123 q=1 filter=2 query_time="timestamp"
response.log:
timestamp id=123 q="{1}" response="hello world"
performance.log:
timestamp id=123 responsetime="1 ms"
Then, We need to join these 3 logs with the following query:
(request.log) OR (response.log) OR (performance.log)|
stats
first(q) as q
first(query_time) as _time
first(response) as response
first(responsetime) as responsetime
dc(sourcetype) as dc by id|search dc=3
Based on these premises, is there a way in splunk to define the name space of variables? Example:
q.response.log
q.request.log
In this way, I will have the following query construct:
(request.log) OR (response.log) OR (performance.log)|
stats
first(q.request.log) as q_req
first(q.response.log) as q_res
first(query_time) as _time
first(response) as response
first(responsetime) as responsetime
dc(sourcetype) as dc by id|search dc=3
Any idea?
Thanks,
Lp
You can do something like this:
... | eval q_response_log = case(source == "response.log", q) | eval q_request_log = case(source == "request.log", q)
Use spath to extract the bits from the json you need into fields then.
I tested your recommendation and for my case does not work. One of my source types is json and the other one is normal key=value pairs.
Thanks.
I will test it out. It makes sense.
Lp