Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Join and chart events from 2 log files with common field value but not lables.

Cuyose
Builder
‎09-24-2015 03:00 PM

I see a ton of these type questions, but none seem to pertain to what I am doing or I just dont understand them.

I have 2 sourcetype that have a common ID in the events,
sourcetypeA with RequestId
sourcetypeB with requestId

What I need to do is timechart by a field that only occurs in sourcetypeB but only when the corresponding request Id in sourcetypeA has a particular field value.

0 Karma
Reply

MuS
Legend
‎09-24-2015 03:47 PM

Hi Cuyose,

Take a look at this answer http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi... which also includes an example what you're trying to do. In a nutshell try something like this:

sourcetypeA OR sourcetypeB | eventstats count by RequestId requestId anyothervalue | timechart count by field where RequestId > "5"

This will only timechart events with field events if RequestId is over 5. Be reminded this is out of my head and un-tested, so you maybe need to tweak it.

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...