https://community.splunk.com/t5/Splunk-Search/Transaction-with-multiple-sourcetype/m-p/49638#M11917 <P>Thanks to both of you.</P> Fri, 25 Feb 2011 17:05:35 GMT cafissimo 2011-02-25T17:05:35Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-multiple-sourcetype/m-p/49635#M11914 <P>Hello, please, I would like to know if it is possible to use multiple and different sourcetypes with the splunk "transaction" command.</P> <P>Thanks and kind regards.</P> <P>Luca Caldiero Consoft Sistemi S.p.A.</P> Thu, 24 Feb 2011 21:56:52 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-multiple-sourcetype/m-p/49635#M11914 cafissimo 2011-02-24T21:56:52Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-multiple-sourcetype/m-p/49636#M11915 <P>I guess it's similar to this one: <A href="http://answers.splunk.com/questions/3994/multiple-transactions-in-a-single-search" rel="nofollow">http://answers.splunk.com/questions/3994/multiple-transactions-in-a-single-search</A></P> <P>gkanapathy mentioned several sourcetypes with one transaction command</P> Thu, 24 Feb 2011 22:11:54 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-multiple-sourcetype/m-p/49636#M11915 LCM 2011-02-24T22:11:54Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-multiple-sourcetype/m-p/49637#M11916 <P>What the transaction command does is simply grouping/merging events with the same value of the specified field(s) into one event. <CODE>sourcetype</CODE> is just another field for this command. So a simple search like this would create transaction events from multiple sourcetypes:</P> <PRE><CODE>sourcetype=my_sourcetype1 OR sourcetype=mysourcetype2 | transaction myTransactionField </CODE></PRE> <P>The only thing that matters is that the content of the field(s) used to build the transaction has the same value in those events that should get merged.</P> Thu, 24 Feb 2011 22:55:42 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-multiple-sourcetype/m-p/49637#M11916 ziegfried 2011-02-24T22:55:42Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-multiple-sourcetype/m-p/49638#M11917 <P>Thanks to both of you.</P> Fri, 25 Feb 2011 17:05:35 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-multiple-sourcetype/m-p/49638#M11917 cafissimo 2011-02-25T17:05:35Z