Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Create transaction from results of another transaction

simpkins1958
Contributor
‎09-05-2017 01:55 PM

sourcetype=A has d_id field
sourcetype=B has d_id and m_pid field
sourcetype=C has m_pid field

Need to build transaction between sourcetype=A and sourcetype=B where d_id field is equal. Then need to build a transation from AB and souretype=C where m_pid's are equal.

When sourcetype=A event happens I need to get information from souretype=C going through sourcetype=B.

I have tried many iterations of transactions and append with subsearch and can't get working.

0 Karma
Reply

woodcock
Esteemed Legend
‎09-06-2017 07:36 PM

This is actually one of the few usecases where it probably makes sense to use transaction: a transitive relationship between multiple unique keys. But you are doing it wrong; you don't need 2 transactions, just 1, like this:

sourcetype=A OR sourcetype=B OR sourcetype=C
| transaction d_id m_pid
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2017 02:33 AM

Hi simpkins1958,
did you tried with join command?

index=your_index sourcetype=sourcetypeA
| join d_id [ search index=your_index sourcetype=sourcetypeB ]
| join m_pid [ search  index=your_index sourcetype=C ]

Surely it will not be very quick but also with a double transaction it's the same thing!
Bye.
Giuseppe

0 Karma
Reply

MuS
Legend
‎09-06-2017 03:05 AM

Oh there are so many limits and problems you will hit with this.

Check out the awesome Let's stats handle this for you by Sideview March 2016 http://wiki.splunk.com/Virtual_.conf or find some hints in the answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo...

But basically you could do this untested search:

base search goes here 
| stats values(*) as * by d_id m_pid

because all your events will either have d_id or m_pid.

Without real world events we cannot help more ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...