Join or something better?

tb582 · ‎03-06-2012

I'm new to splunk, here's my issue. I have a log file which contains the extracted fields below:
task_id
task_duration
content_owner
task_type

I'm looking to find the task_duration for two search strings "string ABC" OR "string 123" so those two lines which would return would have task_id, task_duration, and task_type. I need to use the task_id to find the content_owner as its elsewhere in the log... In the end what I want to see is:

task_id: #### content_owner: XYZ task_type: XYZ task_duration: ####
task_type: ZYX task_duration: ####

task_id: #### etc

cramasta · ‎03-06-2012

Really would need to see your data to figure out the right solution but you could try something like

...| transaction task_id

OR

....| stats values by task_id

tb582 · ‎03-06-2012

ok logs sent

cramasta · ‎03-06-2012

Will you still be sending example data?

So is there one line with taskid , duration, type. Then another line with Id and owner where the id will equal taskid?

tb582 · ‎03-06-2012

Actually looking at my data again, it looks like I was slightly off... Maybe you can help ne with a bit more detail. So I still want to see the data as above but I was wrong about content_owner its not contained within the same task_id but rather Splunk will need to look for owner based on an extracted field called id.

cramasta · ‎03-06-2012

Sure send to j1621c@Yahoo.com

tb582 · ‎03-06-2012

I tried that - doesnt seem to work exactly the way I want - can I send you some examples offline?

Join or something better?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms