transaction group by two IDs

fk319 · ‎03-07-2013

I have data that has two IDs for each transaction. Of course most logs have one or the other and only one has both. I tried:

...| transaction ID, ID2 |...

but found that I would sometimes get two transaction records, one with just ID and the other with both ID and IDs.

I could not find an "OR" option, just that the engine would figure it out. Does anyone have some suggestions?

yannK · ‎03-09-2013

try to add the presence of the 2 fields as a condition before the transactions :

id=* AND id2=* | transaction id id2

fk319 · ‎03-11-2013

Then I would not see the details of id or id2, just the link between the two.

fk319 · ‎03-08-2013

those work fine, it seams when I have id1 and id2 defined, then id1 and id2 correlated.

martin_mueller · ‎03-08-2013

So the following events all form one big transaction?

event1 id=1
event2 id=1 id2=a
event3 id2=a

fk319 · ‎03-08-2013

In this case, one ID is external activity and the other ID is internal activity. some where during the transaction there is an a correlation between the two.

martin_mueller · ‎03-08-2013

How do the two IDs relate to each other? In other words, how should events be grouped into one transaction?

fk319 · ‎03-07-2013

no, more like
event=1 host=a
event=2 cookie=b
event=3 host=a cookie=b

cramasta · ‎03-07-2013

would you say your data set is like this

event=1 host=a
event=2 host=a cookie=b
event=3 cookie=b

transaction group by two IDs

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...