https://community.splunk.com/t5/Splunk-Search/Confused-with-Transaction-and-map-command/m-p/564038#M196474 <P>Ah okay. I didn't read that part in the question. With large sets of data, map is even worse than join. Will take a lot of time, slow execution, missed results and you'll probably need more than maxsearches=1000+. Please try this:</P><P>| multisearch [search&nbsp;<SPAN>index="xyz" source="source1"&nbsp; "pacs.200"&nbsp;</SPAN><BR /><SPAN>AND</SPAN><BR /><SPAN>index="xyz" source="source1" "pacs.800"]</SPAN></P><P><SPAN>[search index=your_index source=source2 | rename IDfield as IDfield1]</SPAN></P><P><SPAN>| eval matched_IDfield = coalesce (IDfield,IDfield1)</SPAN></P><P><SPAN>| fields + &lt;fields from both sources that you want to see in the result&gt;</SPAN></P><P><SPAN>| stats list(*) as *</SPAN></P><P>&nbsp;</P><P><SPAN>Let me know if this helps.</SPAN></P><P><SPAN>Thanks,</SPAN></P><P><SPAN>S&nbsp;</SPAN></P><P><SPAN>****If the answer helped, please upvote and accept it as a solution. It helps others to find the solution quickly****</SPAN></P> Fri, 20 Aug 2021 07:29:23 GMT shivanshu1593 2021-08-20T07:29:23Z https://community.splunk.com/t5/Splunk-Search/Confused-with-Transaction-and-map-command/m-p/563796#M196456 <P>Hi I have two searches for&nbsp; which searches pacs.200(input) and pacs.800(output) records&nbsp; for an ID&nbsp;</P><P>inxdex="xyz" source="source1"&nbsp; "pacs.200"&nbsp;<BR />and&nbsp;&nbsp;<BR />inxdex="xyz" source="source1" "pacs.800"<BR /><BR />i use transaction command to get transaction time between&nbsp;&nbsp;pacs.200(input) and pacs.800(output)&nbsp; which works good&nbsp;<BR /><BR />but i have one another source="source2"&nbsp; which has same IDfield common but other diffrent fields&nbsp;&nbsp;<BR /><BR />I want to map "source2" data with output of my (source1)&nbsp; To get some fields from Source2&nbsp; but its a huge data (probably 200k and more ) so map is not working&nbsp; properly here ? and i guess i cant use transaction command as i have already used this with first 2 searches can anyone help me with How should i map my source 2 data with my previous output ?</P> Wed, 18 Aug 2021 14:32:57 GMT https://community.splunk.com/t5/Splunk-Search/Confused-with-Transaction-and-map-command/m-p/563796#M196456 KBudhale 2021-08-18T14:32:57Z https://community.splunk.com/t5/Splunk-Search/Confused-with-Transaction-and-map-command/m-p/563910#M196457 <P><SPAN>Hello,</SPAN></P><P><SPAN>Please try something like this:</SPAN></P><P><SPAN>index="xyz" source="source1"&nbsp; "pacs.200"&nbsp;</SPAN><BR />AND<BR /><SPAN>index="xyz" source="source1" "pacs.800"&nbsp;</SPAN><SPAN>&nbsp;|&nbsp; join IDfield [index=your_index source=source 2 | table IDfield &lt;add more fields that you want to see] | rest of your query</SPAN></P><P>&nbsp;</P><P>Let me know if it helps.</P><P>Thanks,</P><P>S&nbsp;</P><P>****If the answer helped, please upvote and accept it as a solution. It helps others to find the solution quickly****</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 19 Aug 2021 08:51:00 GMT https://community.splunk.com/t5/Splunk-Search/Confused-with-Transaction-and-map-command/m-p/563910#M196457 shivanshu1593 2021-08-19T08:51:00Z https://community.splunk.com/t5/Splunk-Search/Confused-with-Transaction-and-map-command/m-p/564022#M196471 <P>Hi&nbsp; <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/61125">@shivanshu1593</a>&nbsp;, Thanks for your help man but&nbsp;</P><P>As i said there are too many records&nbsp; i am&nbsp; trying to map splunk Join has limitations so i tried using Join but it never works properly, That's why at first place i went for Transaction command&nbsp;</P><DIV class="lia-message-author-with-avatar">&nbsp;</DIV> Fri, 20 Aug 2021 05:00:42 GMT https://community.splunk.com/t5/Splunk-Search/Confused-with-Transaction-and-map-command/m-p/564022#M196471 KBudhale 2021-08-20T05:00:42Z https://community.splunk.com/t5/Splunk-Search/Confused-with-Transaction-and-map-command/m-p/564035#M196473 <P>Can you give some (masked) example data, your current query and example what you want like moc or something similar?</P> Fri, 20 Aug 2021 07:00:59 GMT https://community.splunk.com/t5/Splunk-Search/Confused-with-Transaction-and-map-command/m-p/564035#M196473 isoutamo 2021-08-20T07:00:59Z https://community.splunk.com/t5/Splunk-Search/Confused-with-Transaction-and-map-command/m-p/564038#M196474 <P>Ah okay. I didn't read that part in the question. With large sets of data, map is even worse than join. Will take a lot of time, slow execution, missed results and you'll probably need more than maxsearches=1000+. Please try this:</P><P>| multisearch [search&nbsp;<SPAN>index="xyz" source="source1"&nbsp; "pacs.200"&nbsp;</SPAN><BR /><SPAN>AND</SPAN><BR /><SPAN>index="xyz" source="source1" "pacs.800"]</SPAN></P><P><SPAN>[search index=your_index source=source2 | rename IDfield as IDfield1]</SPAN></P><P><SPAN>| eval matched_IDfield = coalesce (IDfield,IDfield1)</SPAN></P><P><SPAN>| fields + &lt;fields from both sources that you want to see in the result&gt;</SPAN></P><P><SPAN>| stats list(*) as *</SPAN></P><P>&nbsp;</P><P><SPAN>Let me know if this helps.</SPAN></P><P><SPAN>Thanks,</SPAN></P><P><SPAN>S&nbsp;</SPAN></P><P><SPAN>****If the answer helped, please upvote and accept it as a solution. It helps others to find the solution quickly****</SPAN></P> Fri, 20 Aug 2021 07:29:23 GMT https://community.splunk.com/t5/Splunk-Search/Confused-with-Transaction-and-map-command/m-p/564038#M196474 shivanshu1593 2021-08-20T07:29:23Z