i think i am stuck on this certain for some reason that my head isn't working right when thinking about this problem
i have a bunch of web logs that i need to sort out with a certain field (lets say XID) that is only inserted in 1 or 2 lines out of the xxx lines in a complete web transaction
this web transaction can be defined with an SID for our transaction command
however, i need to find all the transactions that includes n numbers of XID that i have created in a list of XID lookup table
my original search
sourcetype="web_log" [inputlookup xid_lookup.csv | fields XID] | transaction SID
the problem of this search is that it will only given the result of the lines that has the XID in my lookup table
but what i really want to do is to list out all the lines in transaction by the SID that includes XID in my lookup table only
is it possible to do so?
Just move the subsearch filter so that it is used after the transactions are created.
sourcetype="web_log" | transaction SID | search [| inputlookup xid_lookup.csv | fields XID]
Just move the subsearch filter so that it is used after the transactions are created.
sourcetype="web_log" | transaction SID | search [| inputlookup xid_lookup.csv | fields XID]
Ayn thanks alot
i think i got where i had it worng in the first place
your | search [|inputlookup xxx] saved my trouble
what i really need...might be this to complete what we are looking for
sourcetype ="web_log" | transaction SID XID | search [|inputlookup xid_lookup.csv | fields XID]
by this i will be able to filter out the different transactions of SIDs that are included with the particular XID in my table
which will also run faster when i add the maxspan for the transaction