Re: combining fields from two log entries which ha...

dreeck · ‎08-31-2018

Base,

How can I combine two log entries that share a common ID when the field name of the ID is different between both entries?

Currently I'm using re-name to change my field names into strings that don't contain "-" (eval seems to hate "-"),

rename v.my-very-long-field-name.rid AS rid
then eval to give the unique field names a single name, and transact:

eval request_id=if(isnull(rid), req, rid)
transaction request_id |

Last thing: I table values from both log entries. Seems like it should work great... but... it doesn't.
I end up with table entries containing values from 1 log entry or the other, not both.

Help me Obi Wan...

knielsen · ‎09-04-2018

It would be helpful to see what you are doing with the data, other than "table". Maybe your use case can be done with

sourcetype=A OR sourcetype=B
| rename your.very.long.field.name as rid
| eval request_id=coalesce(req, rid)
| stats <your logic> by request_id
| table your result

horsefez · ‎09-01-2018

Hi my very young padawan,

as you did not provide enough sample data or your full query I have to write in pseudo code.
What I will try is introduce you to subsearches. You can find more information about them here:
http://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/Useasubsearch

index=logsource_A AND my-very-long-field-name.rid=* | rename my-very-long-field-name.rid AS rid
| join rid [search index=logsource_B AND rid=*]

combining fields from two log entries which have a common id that is named differently

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk