Splunk Search

Name space between 2 or more variables found in 2 or more source logs

lpolo
Motivator

Let's say we have the following 3 logs sources:

request.log :
timestamp id=123 q=1 filter=2 query_time="timestamp"

response.log:
timestamp id=123 q="{1}" response="hello world" 

performance.log:
timestamp id=123 responsetime="1 ms"

Then, We need to join these 3 logs with the following query:

(request.log) OR (response.log) OR (performance.log)|
 stats
  first(q) as q
  first(query_time) as _time
  first(response) as response
  first(responsetime) as responsetime
  dc(sourcetype) as dc by id|search dc=3

Based on these premises, is there a way in splunk to define the name space of variables? Example:

q.response.log
q.request.log

In this way, I will have the following query construct:

(request.log) OR (response.log) OR (performance.log)|
 stats
  first(q.request.log) as q_req
  first(q.response.log) as q_res
  first(query_time) as _time
  first(response) as response
  first(responsetime) as responsetime
  dc(sourcetype) as dc by id|search dc=3

Any idea?

Thanks,
Lp

Tags (2)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can do something like this:

... | eval q_response_log = case(source == "response.log", q) | eval q_request_log = case(source == "request.log", q)

martin_mueller
SplunkTrust
SplunkTrust

Use spath to extract the bits from the json you need into fields then.

0 Karma

lpolo
Motivator

I tested your recommendation and for my case does not work. One of my source types is json and the other one is normal key=value pairs.

0 Karma

lpolo
Motivator

Thanks.
I will test it out. It makes sense.

Lp

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...