topic Re: How to build a transaction from multiple, somewhat disparate, indexes in Splunk Search

How to build a transaction from multiple, somewhat disparate, indexes

castle1126 — Fri, 25 Mar 2011 09:36:03 GMT

Hi,

I have three indexes that I'm trying to build a transaction from. the first two indexes each have a field named User_Name, which makes the transaction statement pretty easy. This creates the base transaction I'm looking for.

The first index also has a field called ip. What I want to do is use this field to retrieve the events from the third index into the first transaction (unfortunately the User_Name field does not exist in the third index). I've tried so many different searches, all never result in a transaction containing all the pertinent records.

Any thoughts on how to create this type of transaction?

Thanks!!

Re: How to build a transaction from multiple, somewhat disparate, indexes

southeringtonp — Fri, 25 Mar 2011 20:36:34 GMT

What does your data look like? Is the username completely missing from the third index, or just not extracted into that field?

Re: How to build a transaction from multiple, somewhat disparate, indexes

b4ggio — Thu, 07 Apr 2011 22:00:37 GMT

I am also keen to see what the data looks like as mentioned by southeringtonp. Have you thought about doing data enrichment using a lookup of some unique data and then using the new field to transact on.

Re: How to build a transaction from multiple, somewhat disparate, indexes

castle1126 — Thu, 07 Apr 2011 23:38:33 GMT

The username field does not exist from the third index.

Re: How to build a transaction from multiple, somewhat disparate, indexes

sdwilkerson — Tue, 23 Aug 2011 21:12:31 GMT

What fields do exists in the third index that might be used to unite those events with events from one of the first two indexes? A subsearch or double-transaction might work.

Re: How to build a transaction from multiple, somewhat disparate, indexes

curtgran — Wed, 28 Sep 2011 19:47:47 GMT

Maybe this isn't the best place to ask this question but I'll try anyway.

Can I transaction span multiple indexes and multiple sourcetypes? It seems like it can but I thought I would ask to verify it.

Curt

Re: How to build a transaction from multiple, somewhat disparate, indexes

sdwilkerson — Wed, 28 Sep 2011 20:22:05 GMT

Curtgan, Yes, this isn't the right place, you should really have started a new question. But the answer to your question is, yes, transaction doesn't care so long as the time settings and field are right.

Re: How to build a transaction from multiple, somewhat disparate, indexes

BenAveling — Mon, 16 Sep 2013 06:22:22 GMT

Does the 3rd index have ip? If so, what happens when you try to build a transaction on ip and user_name?