Splunk Search

Merge results of two searches with transactions

Simon
Contributor

Hi there

Is there a way to merge the results of two different searches, where I'm grouping the events with the transaction search command and group them again based on a value of a field from both searches?

Thanks Simon

Update: As requested, here are examples of my search:

Search 1:

index=smtp1 | transaction tr_id maxspan=2m | search status="sent"

Search 2:

index=smtp2 | transaction tr_id maxspan=2m | rex "Ok: queued as (?<remote_tr_id>[a-zA-Z0-9]+)" | search status="sent"

Now I'd like to merge the results where the value of tr_id of search 1 matches value of the field remote_tr_id of my search 2.

0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

If possible, it's preferable to rewrite the search into a single search (OR'ing the source data and possibly making a more complex transaction), but if not, you can use the append search command.

View solution in original post

Simon
Contributor

Done, see my two searches and the explanation

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

If possible, it's preferable to rewrite the search into a single search (OR'ing the source data and possibly making a more complex transaction), but if not, you can use the append search command.

Dark_Ichigo
Builder

The problem with the Append Join Command, is that your search needs to be based on "stats,timechart,chart" command to do so.....I have tried using Inner Join to group transaction from multiple indexes, but it doesn't seem to work.

0 Karma

Lowell
Super Champion

Yes, this is possible. I would suggest that you provide an example of your two different searches. (Use the "edit" link, to update your question)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...