I would like to compare the two logs and output the attachment file name to the alert if it is the same message ID.
For example, the A log and the B log are compared, and when the message ID is the same, the attached file name described in the B log is outputted to the alert.
Is this possible?
If it is possible,what kind of search sentences should I write?
I believe that niketnilay's answer is pretty much what you need.
Here's another way of looking at it. Remember that only streaming commands are allowed in the subsearches in multisearch,
| multisearch
[search index = Alog logtype=message_log from=* subject=* | fields index messageID subject count from]
[search index = Blog your other search terms | fields index messageID filename]
| whatever you omitted
| stats count as eventcount values(*) as * by messageID
I believe that niketnilay's answer is pretty much what you need.
Here's another way of looking at it. Remember that only streaming commands are allowed in the subsearches in multisearch,
| multisearch
[search index = Alog logtype=message_log from=* subject=* | fields index messageID subject count from]
[search index = Blog your other search terms | fields index messageID filename]
| whatever you omitted
| stats count as eventcount values(*) as * by messageID
Thank you very much.
I thank everyone who responded.
@honobe, it will be easier for us to assist if you provide sample/mocked data and field names from log A and log B.
If two sources/sourcetypes for log A and log B are different and both have messageID field, you are looking for stats command to correlate them and alert when number of result > 0
sourcetype="logA" OR sourcetype="logB" messageID=*
| stats count as eventcount values(sourcetype) as sourcetypes by messageID
| search eventcount>1 sourcetype="logA" AND sourcetype="logB"
Thank you for answers.
I am sorry that there is little explanation.
Currently only A logs are acquired.
The attached file name is not displayed in the A log, I will try to acquire it from the B log.
* The attached file name is displayed in the B log.
Therefore, compare the message IDs of the A log and B log, and in the same case, want to be able to output the attachment file name of the B log.
Currently the following search sentences are used.
Index = A log logtype = message_log from = "" subject = ""
| 【omitted】
| table subject, count, from
| collect index = xxx source = "yyy" sourcetype = generic_single_line
I would like to add the attached file name to the output result of the search sentence that is finally being used.
I would like to display the attachment file name that is linked to the message ID
Then you can use sendemail command on the query itself.
your base search | sendemail to=example@splunk.com server=mail.example.com subject="$message_id$ " message="$message_id$" sendresults=true format=raw sendpdf=true
I hope it helps
@niketnilay - add values(filename) as filename