https://community.splunk.com/t5/Getting-Data-In/How-to-write-a-Splunk-search-to-get-to-a-field-value-that/m-p/625278#M107465 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244375">@sekhar463</a>,</P><P>transaction command is usually very slow, and muste be used as last chance, please try something like this:</P><LI-CODE lang="markup">index=indexname sourcetype=sourcetypename | eval Actualstarttime=strftime(strptime(NEXT_START,"%Y/%m/%d %H:%M:%S"),"%H:%M") | eval Job_start_by=strftime(strptime(LAST_START,"%Y/%m/%d %H:%M:%S"),"%H:%M") | stats values(JOB_NAME) AS JOB_NAME values(JOB_GROUP) AS JOB_GROUP values(REGION) AS REGION values(TIMEZONE) AS TIMEZONE values(STATUS) AS STATUS values(Currenttime) AS Currenttime values(STATUS_TIME) AS STATUS_TIME values(LAST_START) AS LAST_START values(LAST_END) AS LAST_END values(NEXT_START) AS NEXT_START values(DAYS_OF_WEEK) AS DAYS_OF_WEEK values(EXCLUDE_CALENDAR) AS EXCLUDE_CALENDAR values(RUNTIME) AS RUNTIME values(Actualstarttime) AS Actualstarttime values(Job_start_by) AS Job_start_by values(START_SLA) AS START_SLA values(AVG_RUN_TIME) AS AVG_RUN_TIME BY BOX_NAME</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Mon, 26 Dec 2022 16:31:35 GMT gcusello 2022-12-26T16:31:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-write-a-Splunk-search-to-get-to-a-field-value-that/m-p/625256#M107462 <P>Good day,</P> <P>i am using search query to correlate one field belongs and related jobs for that field</P> <P>i am using below query using transaction but i am trying to get unique value for one field but values are missing for other fields also.</P> <P>correct my query&nbsp;</P> <P>as my output expecting is in the table name of the BOX_NAME with one unque value and respective JOB_NAME under BOX_NAME</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=indexname sourcetype=sourcetypename | eval Actualstarttime=strftime(strptime(NEXT_START,"%Y/%m/%d %H:%M:%S"),"%H:%M") | eval Job_start_by=strftime(strptime(LAST_START,"%Y/%m/%d %H:%M:%S"),"%H:%M") | transaction BOX_NAME | table BOX_NAME,JOB_NAME,JOB_GROUP,REGION,TIMEZONE,STATUS,Currenttime,STATUS_TIME,LAST_START,LAST_END,NEXT_START,DAYS_OF_WEEK,EXCLUDE_CALENDAR,RUNTIME,Actualstarttime,Job_start_by,START_SLA,AVG_RUN_TIME </LI-CODE> Thu, 29 Dec 2022 03:29:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-write-a-Splunk-search-to-get-to-a-field-value-that/m-p/625256#M107462 sekhar463 2022-12-29T03:29:09Z https://community.splunk.com/t5/Getting-Data-In/How-to-write-a-Splunk-search-to-get-to-a-field-value-that/m-p/625278#M107465 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244375">@sekhar463</a>,</P><P>transaction command is usually very slow, and muste be used as last chance, please try something like this:</P><LI-CODE lang="markup">index=indexname sourcetype=sourcetypename | eval Actualstarttime=strftime(strptime(NEXT_START,"%Y/%m/%d %H:%M:%S"),"%H:%M") | eval Job_start_by=strftime(strptime(LAST_START,"%Y/%m/%d %H:%M:%S"),"%H:%M") | stats values(JOB_NAME) AS JOB_NAME values(JOB_GROUP) AS JOB_GROUP values(REGION) AS REGION values(TIMEZONE) AS TIMEZONE values(STATUS) AS STATUS values(Currenttime) AS Currenttime values(STATUS_TIME) AS STATUS_TIME values(LAST_START) AS LAST_START values(LAST_END) AS LAST_END values(NEXT_START) AS NEXT_START values(DAYS_OF_WEEK) AS DAYS_OF_WEEK values(EXCLUDE_CALENDAR) AS EXCLUDE_CALENDAR values(RUNTIME) AS RUNTIME values(Actualstarttime) AS Actualstarttime values(Job_start_by) AS Job_start_by values(START_SLA) AS START_SLA values(AVG_RUN_TIME) AS AVG_RUN_TIME BY BOX_NAME</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Mon, 26 Dec 2022 16:31:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-write-a-Splunk-search-to-get-to-a-field-value-that/m-p/625278#M107465 gcusello 2022-12-26T16:31:35Z