- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Join result of two queries with common field ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Join result of two queries with common field ?
Hi,
I have a use case where i need to join result of two septate logs on the basis of common field(breadcrumbId).
Below is the query i used but i am not getting any results for this query
source="/opt/jboss/jboss-fuse/data/log/access_log" OR "/opt/jboss/jboss-fuse/data/log/fuse.log" ("Audience value in the JWT is*" OR ("path=/rest/cases/" "filename*=")) | stats values(*) as * by breadcrumbId | table breadcrumbId AccessedFrom
While if I try separately I am getting results
Query 1:source="/opt/jboss/jboss-fuse/data/log/fuse.log" "Audience value in the JWT is" | table breadcrumbId AccessedFrom
Query 2:source="/opt/jboss/jboss-fuse/data/log/access_log" (("path=/rest/cases/" "filename*=")) | stats values(*) as * by breadcrumbId filename
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It must be that the first source has no events with values for filename so leave it in the values(*) pile like this:
index="YouShouldAlwaysSpecifyAnIndex" AND
((source="/opt/jboss/jboss-fuse/data/log/fuse.log" AND "Audience value in the JWT is") OR
(source="/opt/jboss/jboss-fuse/data/log/access_log" AND "path=/rest/cases/" AND "filename*="))
| stats values(*) AS * BY breadcrumbId
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ayush8878,
try this:
( source="/opt/jboss/jboss-fuse/data/log/fuse.log" "Audience value in the JWT is" ) OR ( source="/opt/jboss/jboss-fuse/data/log/access_log" ("path=/rest/cases/" "filename*="))
| eval filename=if(isnotnull(filename), filename, "none")
| stats values(*) AS * by breadcrumbid filename
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks MuS but this way I am getting resuls only from fuse.log while I need data from access.log and fuse.log merged on breadcrumbid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, looking at the second search on the access_log you use "filename*=" so you don't actually search for a field called filename. The first thing you need to do here is create a field called filename and then it will work. Assuming the filename* thingy does not contain any spaces, try this:
( source="/opt/jboss/jboss-fuse/data/log/fuse.log" "Audience value in the JWT is" ) OR ( source="/opt/jboss/jboss-fuse/data/log/access_log" ("path=/rest/cases/" "filename*="))
| rex "filename[^=]*=(?<filename>[^\s]+)"
| eval filename=if(isnotnull(filename), filename, "none")
| stats values(*) AS * by breadcrumbid filename
Hope this helps ...
cheers, MuS
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
