Hi All -
I am pretty new at advanced splunk searching, so I'm probably missing something very easy. I have two access log files that are of the same request, but from different servers, logging different things. They share a common field that is unique per request. I'd like to join these two files in a splunk search. I've easily whipped up a search using join which seems to work, however the main search results screen only shows one of the two files as output. I'd like to see a combination of both files instead. Here are examples:
file 1:
10.10.10.10 - - [04/Nov/2010:10:40:02 -0400] "GET /favicon.ico HTTP/1.1" 200 318 "-" AAABBBCCCDDDEEEFFF
file 2:
10.10.10.10 myusername AAABBBCCCDDDEEEFFF
AAABBBCCCDDDEEEFFF is unique, and common between the two. I turned that into a field called UniqueID on both. What I'm ultimately after is a single result that looks like (or something similar):
10.10.10.10 - - [04/Nov/2010:10:40:02 -0400] "GET /favicon.ico HTTP/1.1" 200 318 "-" AAABBBCCCDDDEEEFFF myusername
The join I have come up with is simply:
sourcetype="access_log_1" | join UniqueID [search sourcetype="access_log_2" ]
If I save these results a csv, it works as expected - however, I can't see the results layed out nicely in the splunk interface. Am I missing something?
Thanks,
Al
... View more