https://community.splunk.com/t5/Splunk-Search/Need-solution-on-search-query/m-p/703408#M238404 <P>This would more efficient if indexA was a lookup table, but this query should get you started.&nbsp; Others may bristle at the use of <FONT face="courier new,courier">join</FONT>, but they are welcome to submit alternatives.&nbsp; <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><LI-CODE lang="markup">index=indexb OR index=indexa | stats values(*) as * by transactionID | join customerID [search index=indexa] | table timestamp customerID transactionID status type</LI-CODE><P>&nbsp;</P> Sat, 02 Nov 2024 17:38:24 GMT richgalloway 2024-11-02T17:38:24Z https://community.splunk.com/t5/Splunk-Search/Need-solution-on-search-query/m-p/703388#M238401 <P>I am having two index( index A and index B). Here I need to measure response time of topup of prepaid or postpaid number with help of transaction ID.</P><P>From index A I can filter where the transaction is prepaid or postpaid,index A contains(customer ID, Type(Prepaid or Postpaid).</P><P>In indexB we have two logs one is request log and other is response log.</P><P>With help of customer ID from Index A I need to find the transaction ID from Request log since customer ID is not available in response log. Once we get the transaction ID, we need to substract the time stamp (Response log time- Request log time).</P><P>Index A. Log pattern---&gt; _timestamp, customerID,type</P><P>Index B----&gt; contains request and response log.</P><P>Request log pattern---&gt; timestamp, transactionID, customer ID</P><P>Response log pattern---&gt;timestamp, transactionID,status.</P><P>&nbsp;</P><P>Method to measure --&gt; From index A we need to get customerID and then go to index B to find out the transaction ID from Request log. With help of transactionID need to subtract the timestamp between response and request log from index B</P><P>Please help us how we can proceed,in SPL query.</P> Sat, 02 Nov 2024 13:43:35 GMT https://community.splunk.com/t5/Splunk-Search/Need-solution-on-search-query/m-p/703388#M238401 dinesh001kumar 2024-11-02T13:43:35Z https://community.splunk.com/t5/Splunk-Search/Need-solution-on-search-query/m-p/703408#M238404 <P>This would more efficient if indexA was a lookup table, but this query should get you started.&nbsp; Others may bristle at the use of <FONT face="courier new,courier">join</FONT>, but they are welcome to submit alternatives.&nbsp; <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><LI-CODE lang="markup">index=indexb OR index=indexa | stats values(*) as * by transactionID | join customerID [search index=indexa] | table timestamp customerID transactionID status type</LI-CODE><P>&nbsp;</P> Sat, 02 Nov 2024 17:38:24 GMT https://community.splunk.com/t5/Splunk-Search/Need-solution-on-search-query/m-p/703408#M238404 richgalloway 2024-11-02T17:38:24Z https://community.splunk.com/t5/Splunk-Search/Need-solution-on-search-query/m-p/703436#M238424 <LI-CODE lang="markup">| eval request_time=if(isnotnull(transactionID) AND isnotnull(customerID), time, null()) | eval response_time=if(isnotnull(transactionID) AND isnull(customerID), time, null()) | eventstats values(request_time) as request_time values(response_time) as response_time values(customerID) as customerID by transactionID | eventstats values(type) as type by customerID | stats values(request_time) as request_time values(response_time) as response_time values(status) as status values(type) as type by customerID transactionID</LI-CODE> Sun, 03 Nov 2024 13:36:36 GMT https://community.splunk.com/t5/Splunk-Search/Need-solution-on-search-query/m-p/703436#M238424 ITWhisperer 2024-11-03T13:36:36Z