Splunk Search

Match the value in same fieldname on different log

marendra
Explorer

Hi All,

I need to match two value from different logs but same field name. How can I do that?
Example I have Ironport where it has recipient field and exchange server behind it that has recipient field as well. I want make condition before I do the search where the recipient in ironport must be the same recipient in th exchange.
In database example it is quite easy where we can do table1.sender==table2.sender (tabel1 abd table2 is for ironport and exchange respectively)
How can i do it in splunk?

Please advise

Thank you

Tags (1)
0 Karma

dwaddle
SplunkTrust
SplunkTrust

Splunk has a join operation as well, but it is usually not the best performing approach. http://www.innovato.com/splunk/SQLSplunk.html

For this example, you might find using Splunk transactions to be of use. http://www.splunk.com/base/Documentation/latest/Knowledge/Abouttransactions

marendra
Explorer

Hi

Thanks a lot. Unfortunately, it couldn't work for my case.
Anyway, it is a good link you gave me there.

Thanks again

Regards

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...