Splunk Search

Join or something better?

tb582
Explorer

I'm new to splunk, here's my issue. I have a log file which contains the extracted fields below:
task_id
task_duration
content_owner
task_type

I'm looking to find the task_duration for two search strings "string ABC" OR "string 123" so those two lines which would return would have task_id, task_duration, and task_type. I need to use the task_id to find the content_owner as its elsewhere in the log... In the end what I want to see is:

task_id: #### content_owner: XYZ task_type: XYZ task_duration: ####
task_type: ZYX task_duration: ####

task_id: #### etc

Tags (1)
0 Karma

cramasta
Builder

Really would need to see your data to figure out the right solution but you could try something like

...| transaction task_id

OR

....| stats values by task_id

0 Karma

tb582
Explorer

ok logs sent

0 Karma

cramasta
Builder

Will you still be sending example data?

So is there one line with taskid , duration, type. Then another line with Id and owner where the id will equal taskid?

0 Karma

tb582
Explorer

Actually looking at my data again, it looks like I was slightly off... Maybe you can help ne with a bit more detail. So I still want to see the data as above but I was wrong about content_owner its not contained within the same task_id but rather Splunk will need to look for owner based on an extracted field called id.

0 Karma

cramasta
Builder

Sure send to j1621c@Yahoo.com

0 Karma

tb582
Explorer

I tried that - doesnt seem to work exactly the way I want - can I send you some examples offline?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...