Create transaction from results of another transac...

simpkins1958 · ‎09-05-2017

sourcetype=A has d_id field
sourcetype=B has d_id and m_pid field
sourcetype=C has m_pid field

Need to build transaction between sourcetype=A and sourcetype=B where d_id field is equal. Then need to build a transation from AB and souretype=C where m_pid's are equal.

When sourcetype=A event happens I need to get information from souretype=C going through sourcetype=B.

I have tried many iterations of transactions and append with subsearch and can't get working.

woodcock · ‎09-06-2017

This is actually one of the few usecases where it probably makes sense to use transaction: a transitive relationship between multiple unique keys. But you are doing it wrong; you don't need 2 transactions, just 1, like this:

sourcetype=A OR sourcetype=B OR sourcetype=C
| transaction d_id m_pid

gcusello · ‎09-06-2017

Hi simpkins1958,
did you tried with join command?

index=your_index sourcetype=sourcetypeA
| join d_id [ search index=your_index sourcetype=sourcetypeB ]
| join m_pid [ search  index=your_index sourcetype=C ]

Surely it will not be very quick but also with a double transaction it's the same thing!
Bye.
Giuseppe

MuS · ‎09-06-2017

Oh there are so many limits and problems you will hit with this.

Check out the awesome Let's stats handle this for you by Sideview March 2016 http://wiki.splunk.com/Virtual_.conf or find some hints in the answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo...

But basically you could do this untested search:

base search goes here 
| stats values(*) as * by d_id m_pid

because all your events will either have d_id or m_pid.

Without real world events we cannot help more ...

cheers, MuS

Create transaction from results of another transaction

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life