Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract data from 2 different logs

chimuru84
Explorer
a month ago

Hello community!

I want to extract data from 2 different logs like bellow:

Log 1: 2024-04-28 06:38:51 INFO Start auth for accountId=1, ip=192.168.1.1

Log 2: 2024-04-28 06:38:27 INFO Collect response for accountId=1, was: response=FINISH

For example for accountId=1 I have 10 logs with "Start auth", I mean 10 attempts of start auth.

In second log, for the same accountId I have 1 or more logs with FINISH.

I want to make a table like

accountId                              Start auth                                      FINISH

1                                                 10                                                       1

 

Could you helm me with this? 

Thank you.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
a month ago

Have you already extracted accountId and response? If response does not have any value (null) does the event come from log1? If so, you could try something like this

| eval state=coalesce(response, "Start auth")
| chart count by accountId state

View solution in original post

Reply
Solved! Jump to solution

chimuru84
Explorer
a month ago

It works, thank you very much. One more thing, time filter isn't work, I mean if I set for 24H, search return logs for all time

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
a month ago

This is a different question. Please start a new question with as much detail as possible.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
a month ago

Have you already extracted accountId and response? If response does not have any value (null) does the event come from log1? If so, you could try something like this

| eval state=coalesce(response, "Start auth")
| chart count by accountId state
Reply
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...