Hi all,
I have 2 dump files and put separate them into 2 sourcetypes, sourcetype=transaction_status and sourcetype=transaction_detail. Here are some data from both sourcetype :
sourcetype=transaction_status :
transaction_id: 1004 status: completed
transaction_id: 1005 status: completed
transaction_id: 1006 status: pending_payment
transaction_id: 1007 status: pending_payment
transaction_id: 1008 status: completed
transaction_id: 1009 status: completed
transaction_id: 1010 status: pending_payment
transaction_id: 1011 status: completed
sourcetype=transaction_detail :
transaction_id: 1004 vendor_id: 03 tag: ""
transaction_id: 1005 vendor_id: 07 tag: ""
transaction_id: 1006 vendor_id: 03 tag: ""
transaction_id: 1007 vendor_id: 03 tag: ""
transaction_id: 1008 vendor_id: 03 tag: ""
transaction_id: 1009 vendor_id: 01 tag: ""
transaction_id: 1010 vendor_id: 07 tag: ""
transaction_id: 1011 vendor_id: 03 tag: ""
I want to have a graph that shows the top 10 of vendor that have completed status. I can search which transaction_id that have status completed from sourcetype transaction_status (that's easy), but how to search which vendor related to these transaction_id (using data from sourcetype transaction_detail) ?
So the output would be :
vendor_id count
3 3
1 1
7 1
Thanks,
Frank
You'll want to use a subsearch (see http://docs.splunk.com/Documentation/Splunk/6.0/SearchTutorial/Useasubsearch ).
sourcetype=transaction_detail [search sourcetype="transaction_status" status="completed" | fields transaction_id] | stats count by vendor_id
sourcetype=transaction_status status="completed" | stats count by transaction_id | appendcols [search sourcetype="transaction_detail" | stats count by transaction_id vendor_id]| stats sum(count) as count by vendor_id
You'll want to use a subsearch (see http://docs.splunk.com/Documentation/Splunk/6.0/SearchTutorial/Useasubsearch ).
sourcetype=transaction_detail [search sourcetype="transaction_status" status="completed" | fields transaction_id] | stats count by vendor_id
Hi Ayn,
I tried your approach and works perfectly. Thanks .. I didn't realize it is that simple. And with some modification based from amarsaroj approach (using appendcols), we were able to create more complex chart.