How to search a log file based on the field value ...

vrvasantharaj · ‎08-25-2016

I need to read content from a second log file based on the field value which is extracted from the first log file. I did a filter using a keyword and got search results from the first log file (say firstlog.txt). I extracted a field file_name="secondlog.txt" using regex from first log file (firstlog.txt). The second file gets created with the same name (secondlog.txt) as field value which I extracted from the first log file. I need to display the content from both the log files and I am facing difficulties in searching the second log file.

I tried the below search and second search part is not returning any results. I need to correct the highlighted part.

index="aaa" AND host="xxx" source="D:\firstlog.txt" ERROR fields file_name| append [search index="aaa" source=mvjoin("D:\", mvindex(file_name,0)) ]

Please help me with this.

sundareshr · ‎08-25-2016

Try this (this assumes file_name is a field that has been extracted and has multiple values)

index="aaa" source=[search index="aaa" AND host="xxx" source="D:\\firstlog.txt" ERROR | eval search="d:\\\\".mvindex(file_name, 0)]

vrvasantharaj · ‎08-26-2016

Thanks for the help. Unfortunately, it did not work out.

sundareshr · ‎08-26-2016

Can the share the result of these two requests

index="aaa" AND host="xxx" source="D:\\firstlog.txt" ERROR | table file_name

*AND*

Click on Job>>Inspect Job, look for litsearch (Ctrl+F litsearch) in the popup window. Share that.

How to search a log file based on the field value extracted from another log file?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...