Dear All,
I have just started using Splunk and I have a question:
I have one index and two source types. The structure is as follows:
index: servers
sourcetypes: server and gateway
The record structure (fields) is as follows:
sourcetype=gateway
|
->OriginID: (this is an alphanumeric ID - eg 12345)
->ClientType: (can be either BACKEND or FRONTEND)
sourcetype=server
|
->TransactionID: (this is an alphanumeric ID - eg 12345)
I was trying to build a query that would give me a number of all BACKEND(or FRONTEND) transactions where OriginID equals TransactionID. I basically need to know how many are hitting the server from BACKEND and how many from FRONTEND.
So, I tried this:
index=servers sourcetype=gateway AND sourcetype=server| search *| where TransactionID==OriginID| stats by count
This does not work. Could I please ask what would be the best way to get the details that I want to see?
Thank you.
... View more