https://community.splunk.com/t5/Splunk-Search/transaction-commmand-with-huge-event-base/m-p/52052#M12638 <P>I don't know about your extraction problem, but I might use:</P> <PRE><CODE>index=myindex "sometext" OR ("sometext2" AND val&gt;500) | rex "sometext: (?&lt;msg&gt;.*)" | stats val,msg by field1,field2 </CODE></PRE> <P>This will run a lot faster if you have the data over multiple indexers, since <CODE>stats</CODE> will map-reduce much better than <CODE>transaction</CODE>.</P> <P>You could do this:</P> <PRE><CODE>index=myindex ("sometext" OR ("sometext2" AND val&gt;500)) [ search index=myindex "sometext2" AND val&gt;500 | fields + field1 field2 | format maxresults=10000 ] ) | rex "sometext: (?&lt;msg&gt;.*)" | stats val,msg by field1,field2 </CODE></PRE> <P>but whether that is actually faster depends on your data. </P> Wed, 02 Mar 2011 03:34:44 GMT gkanapathy 2011-03-02T03:34:44Z https://community.splunk.com/t5/Splunk-Search/transaction-commmand-with-huge-event-base/m-p/52051#M12637 <P>Hi,</P> <P>I've the following _raw event base:</P> <UL> <LI><P>line1 field1=field1Value field2=field2Value sometext: a_string</P></LI> <LI><P>line2 field1=field1Value field2=field2Value sometext2 val=400</P></LI> <LI><P>line3 field1=field1Value field2=field2Value sometext2 val=600</P></LI> </UL> <P>... and like to have the table that only contains events where val reaches a limit. When this limit is reached, I like to see the value behind "sometext: " (=a_string) from the event above with same field1Value and field2Value.</P> <P>The resulting table should have the cols:</P> <UL> <LI>field1 | field2 | val | msg</LI> </UL> <P>A row should have the values:</P> <UL> <LI>field1Value | field1Value | 600 | a_string</LI> </UL> <P>Here's my try with the transaction command:</P> <PRE><CODE>index=myindex "sometext" OR ("sometext2" AND val&gt;500) | transaction field1 field2 | rex field=_raw "sometext: (?&lt;msg&gt;.*)" | table field1 field2 val msg </CODE></PRE> <P>The 2 issues are:</P> <UL> <LI>the msg field is always emtpy and seem to not extracted correctly</LI> <LI>The first part of the query (up to the first pipe symbol) is returning a huge number of events (~200k) and thus the transaction seem takes an unacceptable time. Is the transaction a good way to accomplish such a resulting table? I suppose a "join" is not an option?</LI> </UL> <P>Any ideas?</P> <P>Thanks!</P> Wed, 02 Mar 2011 03:09:30 GMT https://community.splunk.com/t5/Splunk-Search/transaction-commmand-with-huge-event-base/m-p/52051#M12637 lwalhoefer 2011-03-02T03:09:30Z https://community.splunk.com/t5/Splunk-Search/transaction-commmand-with-huge-event-base/m-p/52052#M12638 <P>I don't know about your extraction problem, but I might use:</P> <PRE><CODE>index=myindex "sometext" OR ("sometext2" AND val&gt;500) | rex "sometext: (?&lt;msg&gt;.*)" | stats val,msg by field1,field2 </CODE></PRE> <P>This will run a lot faster if you have the data over multiple indexers, since <CODE>stats</CODE> will map-reduce much better than <CODE>transaction</CODE>.</P> <P>You could do this:</P> <PRE><CODE>index=myindex ("sometext" OR ("sometext2" AND val&gt;500)) [ search index=myindex "sometext2" AND val&gt;500 | fields + field1 field2 | format maxresults=10000 ] ) | rex "sometext: (?&lt;msg&gt;.*)" | stats val,msg by field1,field2 </CODE></PRE> <P>but whether that is actually faster depends on your data. </P> Wed, 02 Mar 2011 03:34:44 GMT https://community.splunk.com/t5/Splunk-Search/transaction-commmand-with-huge-event-base/m-p/52052#M12638 gkanapathy 2011-03-02T03:34:44Z