I have three different events that compose a single email transaction that I need to list together. The problem is that they don't have a single field in common across all three events.
In eventA I have message_id and postfix_queue_id.
In eventB I have postfix_queue_id and PMX_queue_ID.
In eventC I have just the PMX_queue_ID.
I feel like this should be a pretty simple search string, but I can't seem to get the syntax to spit out the results I want.
Give this a try. This will add all three fields to all events (message_id, postfix_queue_id and PMX_queue_ID).
(base search eventA) OR (base search eventB) OR (base search eventC)
| eventstats values(postfix_queue_id) as temp by PMX_queue_ID | eval postfix_queue_id=coalesce(postfix_queue_id,temp)
| eventstats values(PMX_queue_ID) as temp by postfix_queue_id| eval PMX_queue_ID =coalesce(PMX_queue_ID ,temp)
| eventstats values(message_id ) as temp by postfix_queue_id PMX_queue_ID | eval message_id =coalesce(message_id ,temp)
| fields - temp
After that you can add appropriate command per your requirements. (transaction, stats, timechart etc)
@cmo87 - Did the answer provided by somesoni2 help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!
Give this a try. This will add all three fields to all events (message_id, postfix_queue_id and PMX_queue_ID).
(base search eventA) OR (base search eventB) OR (base search eventC)
| eventstats values(postfix_queue_id) as temp by PMX_queue_ID | eval postfix_queue_id=coalesce(postfix_queue_id,temp)
| eventstats values(PMX_queue_ID) as temp by postfix_queue_id| eval PMX_queue_ID =coalesce(PMX_queue_ID ,temp)
| eventstats values(message_id ) as temp by postfix_queue_id PMX_queue_ID | eval message_id =coalesce(message_id ,temp)
| fields - temp
After that you can add appropriate command per your requirements. (transaction, stats, timechart etc)
Sweet. That method is going in my toolbox.
This splunk / noSQL idea of just throwing everything in the same pot and then stirring until it unmixes itself. Brilliant.