Hi.
We have distributed production environment with IHS as a HTTP server (3 hosts). Access logs from those hosts joined into index="app-prd-web". Then we have J2EE application deployed to cluster of Websphere Application Servers (9 hosts) with all application logs joined to index="application-prd". We seeing some FileNotFoundException errors in the index="application-prd" and we want to know what URL was used on the web when this happened.
To do that we would like to search in index="app-prd-web" for the closest preceding event to the timestamp of the FileNotFoundException in index="application-prd".
I couldn't find the proper example in Splunk documentation to do that. I have 2 separate searches but I can't figure out the way to join them.
Query 1: index="applicaiton-prd" AND FileNotFoundException
Query 2: index="app-prd-web" AND 200 AND http://*.do
I understand that I need to use transaction or subsearch... Could you please help me?