topic Re: Extract data from an entry that is dependant on data from a different entry in Splunk Search https://community.splunk.com/t5/Splunk-Search/Extract-data-from-an-entry-that-is-dependant-on-data-from-a/m-p/207695#M187772 <P>Sure, </P> <PRE><CODE>date_year="2015" ClothingID="*" [search "Red"] | rename ShoppingSessionID as Store_Visit | table Person, Store_Visit </CODE></PRE> <P>I have 1 set of logs with multiple categories of entries. Some entries only have a person's ID, some only have a person's Shopping Session ID, and some have both a person's ID and Shopping session ID for a Successful Purchase (denoted by an entry of "Purchased Red Clothes"). Through these entries, I can link the person's ID to their particular Shopping Session where they made a purchase. I want to see who made a successful purchase of Red clothes.</P> Wed, 28 Oct 2015 19:57:08 GMT _dave_b 2015-10-28T19:57:08Z Extract data from an entry that is dependant on data from a different entry https://community.splunk.com/t5/Splunk-Search/Extract-data-from-an-entry-that-is-dependant-on-data-from-a/m-p/207691#M187768 <P>Hello. I'm trying to extract a value from one log entry so I can use it to extract data from another entry, like<BR /> Entry 1 Has A and B<BR /> Entry 2 Has B and C<BR /> I want to get C from Entry 2 using A from Entry 1. I know I can use B to link them together somehow, but I don't know the command to do so. I've been trying subsearches and transactions, but nothing has worked for me.</P> <P>Thanks for your help.</P> Wed, 28 Oct 2015 15:24:34 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-an-entry-that-is-dependant-on-data-from-a/m-p/207691#M187768 _dave_b 2015-10-28T15:24:34Z Re: Extract data from an entry that is dependant on data from a different entry https://community.splunk.com/t5/Splunk-Search/Extract-data-from-an-entry-that-is-dependant-on-data-from-a/m-p/207692#M187769 <P>You can use the "where" command to compare field values (where field1=field2). Documentation for the where command: <A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Where">http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Where</A></P> Wed, 28 Oct 2015 17:01:20 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-an-entry-that-is-dependant-on-data-from-a/m-p/207692#M187769 jluo_splunk 2015-10-28T17:01:20Z Re: Extract data from an entry that is dependant on data from a different entry https://community.splunk.com/t5/Splunk-Search/Extract-data-from-an-entry-that-is-dependant-on-data-from-a/m-p/207693#M187770 <P>Thanks, but how do I shoehorn that into one search statement?</P> Wed, 28 Oct 2015 19:08:58 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-an-entry-that-is-dependant-on-data-from-a/m-p/207693#M187770 _dave_b 2015-10-28T19:08:58Z Re: Extract data from an entry that is dependant on data from a different entry https://community.splunk.com/t5/Splunk-Search/Extract-data-from-an-entry-that-is-dependant-on-data-from-a/m-p/207694#M187771 <P>Can you post the search statement you are currently working with? </P> Wed, 28 Oct 2015 19:14:28 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-an-entry-that-is-dependant-on-data-from-a/m-p/207694#M187771 jluo_splunk 2015-10-28T19:14:28Z Re: Extract data from an entry that is dependant on data from a different entry https://community.splunk.com/t5/Splunk-Search/Extract-data-from-an-entry-that-is-dependant-on-data-from-a/m-p/207695#M187772 <P>Sure, </P> <PRE><CODE>date_year="2015" ClothingID="*" [search "Red"] | rename ShoppingSessionID as Store_Visit | table Person, Store_Visit </CODE></PRE> <P>I have 1 set of logs with multiple categories of entries. Some entries only have a person's ID, some only have a person's Shopping Session ID, and some have both a person's ID and Shopping session ID for a Successful Purchase (denoted by an entry of "Purchased Red Clothes"). Through these entries, I can link the person's ID to their particular Shopping Session where they made a purchase. I want to see who made a successful purchase of Red clothes.</P> Wed, 28 Oct 2015 19:57:08 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-an-entry-that-is-dependant-on-data-from-a/m-p/207695#M187772 _dave_b 2015-10-28T19:57:08Z Re: Extract data from an entry that is dependant on data from a different entry https://community.splunk.com/t5/Splunk-Search/Extract-data-from-an-entry-that-is-dependant-on-data-from-a/m-p/207696#M187773 <P>Assuming A, B, and C are field names.</P> <UL> <LI><P>transaction:</P> <P>Entry1 OR Entry2 | transaction B</P></LI> <LI><P>subsearch:</P> <P>Entry2 | join B [ search Entry1 | fields A,B ] | table A,B,C</P></LI> </UL> Wed, 28 Oct 2015 20:13:52 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-an-entry-that-is-dependant-on-data-from-a/m-p/207696#M187773 the_wolverine 2015-10-28T20:13:52Z Re: Extract data from an entry that is dependant on data from a different entry https://community.splunk.com/t5/Splunk-Search/Extract-data-from-an-entry-that-is-dependant-on-data-from-a/m-p/207697#M187774 <P>Ah - I misunderstood the question. Transaction <EM>should</EM> do the trick.</P> <P>source=log1 OR source=log2 | transaction CustomerID</P> Wed, 28 Oct 2015 20:34:28 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-an-entry-that-is-dependant-on-data-from-a/m-p/207697#M187774 jluo_splunk 2015-10-28T20:34:28Z