We have two separate logs for errors from different programs. I am currently running two separate searches:
source="*bsf0003.stdout" "error"
sample of data:
[12/04/13 14:13:37:150] MessageReference=XXXXXXXXXXXXXXXX SystemName=CS DistributionChannel=CS QuoteNumber=XXXXXXXX CallingProgram=psfsave Desc="Error Code: 0110, Error Desc: Quote is Locked Out"
source="/u3/logs/QTE_SVCS2_SYNCQTE_PROD/QTE_SVCS2_SYNCQTE/syncqtesvc.log" "transactionstatus=e" MessageCode="" QuoteNumber="" NOT MessageCode="301"
sample data:
2013-12-04 14:22:35,400 [WebSphere_EJB_Timer_Service_WorkManager.Alarm Pool : 0] INFO CLASS=SyncQuoteService, MessageReference=EC00A6F3-E700-72E2-E044-0017A477, SystemName=DRC, Operation=SyncQuoteServiceBatch, QuoteNumber=XXXXXXXX, QuoteEffectiveDate=XXXXXXXXX, QuoteCreationDate=XXXXXXXX, BindIndicator=N, ProcessIndicator=E, TransactionStatus=E, MessageCode=E900, FunctionName=FULLPROCESS, ElapseTime=1306
I need to identify Quote numbers that have errors on BOTH sources, how should I go about doing that?
I missed the last line in your question. The answer @somesoni2 provided is much better suited to solve your problem.
Try following
source="*bsf0003.stdout" "error" | stats count by QuoteNumber | fields - count | join QuoteNumber [search source="/u3/logs/QTE_SVCS2_SYNCQTE_PROD/QTE_SVCS2_SYNCQTE/syncqtesvc.log" "transactionstatus=e" MessageCode="" QuoteNumber="" NOT MessageCode="301" | stats count by QuotaNumber | fields - count ]
Above will give list of QuotaNumber present in both the queries. Stats are used to get unique values for QuotaNumber from both the search (which is faster than using dedup).
Assuming your correlationId is QuoteNumber you can do this:
(source="*bsf0003.stdout" "error") OR (source="/u3/logs/QTE_SVCS2_SYNCQTE_PROD/QTE_SVCS2_SYNCQTE/syncqtesvc.log" "transactionstatus=e" MessageCode="" QuoteNumber="" NOT MessageCode="301") | transaction QuoteNumber
This will group all events from both sources with the same QuoteNumber together into transactions. I should note that transactions are intense operations. Try reading up on transactions and look at ways of limiting the time they are open. Use parameters like maxpause, maxspan, and startswith/endswith.
Hope this helps