https://community.splunk.com/t5/Getting-Data-In/Multiple-Transactions-in-a-Single-Search/m-p/16112#M1889 <P>You should be able to just use a single transaction command: <CODE>...|transaction ReqId trackerid | search sourcetype="corps_app_audit" AND sourcetype="corps_app_error"</CODE></P> <P>If an event is missing a transaction field (trackerid), but matches on others (ReqId), it will still be included in the transaction.</P> Fri, 25 Jun 2010 00:52:47 GMT gkanapathy 2010-06-25T00:52:47Z https://community.splunk.com/t5/Getting-Data-In/Multiple-Transactions-in-a-Single-Search/m-p/16111#M1888 <P>I am trying to link events from two separate sourcetypes together that have different fields available. The "corps_app_error" sourcetype only has ReqId available, while the "corps_app_audit" sourcetype has both ReqId and trackerid. I want all events with the same trackerid or ReqId to become a single transaction. I then want to find all transactions with both sourcetypes within them (To find which transactions had errors essentially).</P> <P>However, when I do a search with two "transaction" strings the results go blank. An OR within the transaction doesn't appear to give me the results I'm after as well.</P> <P>sourcetype="corps_app_error" OR (sourcetype="corps_app_audit" operation=CreatePIN ref_operation=CreatePIN step=Resolve) | transaction keepevicted=true ReqId | transaction keepevicted=true trackerid | search sourcetype="corps_app_audit" AND sourcetype="corps_app_error"</P> <P>Any suggestions?</P> <P>The first answer doesn't seem to work for me. If I do the search:</P> <P>sourcetype="corps_app_error" OR (sourcetype="corps_app_audit" operation=CreatePIN step=Resolve method=NBPart OR method=RtlCust OR method=eWPEmp begin) | transaction keepevicted=true ReqId | search sourcetype="corps_app_audit" AND sourcetype="corps_app_error" trackerid="4c24c2810a060c7c20005f3a0016aa33" | transaction keepevicted=true trackerid</P> <P>I get 1 result and it tells me 1 event showing yet I can't see any events listed. Basically the events pane is blank.</P> <P>While if I do the search:</P> <P>sourcetype="corps_app_error" OR (sourcetype="corps_app_audit" operation=CreatePIN step=Resolve method=NBPart OR method=RtlCust OR method=eWPEmp begin) | transaction keepevicted=true ReqId trackerid | search sourcetype="corps_app_audit" AND sourcetype="corps_app_error" trackerid="4c24c2810a060c7c20005f3a0016aa33"</P> <P>I get 9 results and the trackerid's are not combined into a single transaction like I expect them to be.</P> Thu, 24 Jun 2010 23:59:51 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-Transactions-in-a-Single-Search/m-p/16111#M1888 bryancrabtree 2010-06-24T23:59:51Z https://community.splunk.com/t5/Getting-Data-In/Multiple-Transactions-in-a-Single-Search/m-p/16112#M1889 <P>You should be able to just use a single transaction command: <CODE>...|transaction ReqId trackerid | search sourcetype="corps_app_audit" AND sourcetype="corps_app_error"</CODE></P> <P>If an event is missing a transaction field (trackerid), but matches on others (ReqId), it will still be included in the transaction.</P> Fri, 25 Jun 2010 00:52:47 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-Transactions-in-a-Single-Search/m-p/16112#M1889 gkanapathy 2010-06-25T00:52:47Z