- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Joining two logs by two common fields and output t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi - I would like to join two logs and get specific result as table. I want to join by two common fields. Been working on getting this all day and need help.
so I have log 1 as below and want these values in a table
index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-device-category.log" | table DateStamp UserId
mailingid ttype DeviceInfo
I have log 2
index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-success.log"
The common fields I want to join by mailingid,UserId.
In this second log, I want to only return the field EMAIL
In the end I need including the first logs output and second logs output in a table
So looking for this
DateStamp UserId EMAIL mailingid ttype DeviceInfo
Thanks for any help, if more info is needed, I will gladly input them in this forum
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
(index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-device-category.log") OR (index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-success.log") | stats values(*) AS * BY mailingid,UserId | table DateStamp UserId EMAIL mailingid ttype DeviceInfo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
(index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-device-category.log") OR (index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-success.log") | stats values(*) AS * BY mailingid,UserId | table DateStamp UserId EMAIL mailingid ttype DeviceInfo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your help.
I was curious what to do when the second search does not have a common field to join on and ommitting those results.
So I specifically want to output when there is an actual join with both fields for the two searches.
Again appreciate the help.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
