Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display logs that have the same _time value from two different fields?

brieucjulou
Engager
‎08-10-2015 06:43 AM

Hello everyone,

I have been looking for an answer all over the forum and documentation, but it still won't work..

I have 2 differents fields: host="server1" OR sourcetype="ws.log"

They produce logs that have nothing in common, but some happens at the same moment on both servers. I want to display only these logs.

example:

all the logs:
log5 from server1 at 16:56:30
log4 from ws.log at 15:35:45
log3 from server1 at 15:35:45
log2 from ws.log at 12:44:23
log1 from ws.log at 11:43:55

display:
log4 from ws.log at 15:35:45
log3 from server1 at 15:35:45

Thank you for your help!

Kind regards

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sduff_splunk
Splunk Employee
Splunk Employee
‎08-10-2015 05:45 PM

Assuming the time is being extracted as _time, you could do

 transaction _time

The difficulty is that the events must happen at the "exact" same time. You may want to use the bin command to round these events to the nearest second.

| bin _time span=1s | transaction _time

Or you could do something like

| bin _time span=1s | stats values(_raw), count by _time | where count > 1

View solution in original post

Reply
Solved! Jump to solution
Solution

sduff_splunk
Splunk Employee
Splunk Employee
‎08-10-2015 05:45 PM

Assuming the time is being extracted as _time, you could do

 transaction _time

The difficulty is that the events must happen at the "exact" same time. You may want to use the bin command to round these events to the nearest second.

| bin _time span=1s | transaction _time

Or you could do something like

| bin _time span=1s | stats values(_raw), count by _time | where count > 1
Reply
Solved! Jump to solution

brieucjulou
Engager
‎08-11-2015 01:26 AM

The third command actually works. It gathers the logs into group depending on their time.
I have still some trouble to manipulate the result but I will figure it out!

Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...