https://community.splunk.com/t5/Splunk-Search/Joining-to-another-sourcetype-based-on-field-from-one-log/m-p/110704#M28938 <P>Thanks for the help, figured it out</P> Thu, 14 May 2015 15:06:35 GMT danoconnl 2015-05-14T15:06:35Z https://community.splunk.com/t5/Splunk-Search/Joining-to-another-sourcetype-based-on-field-from-one-log/m-p/110702#M28936 <P>log a<BR /> 5/14/2015 1pm [1150] &lt;message&gt;&lt;trnid&gt;1001&lt;/trnid&gt;&lt;/message&gt;<BR /> 5/14/2015 1:01pm [1150]elapsed time = 1100</P> <P>log b<BR /> 5/14/2015 1pm, trnid=1001, 1200</P> <P>so log a and b are linked on transaction id, and the two lines in log a are linked by the 1150.</P> <P>I've got code that will pull the trnid out of the message, I just don't know how to link the two together and then use it to compare the elapsed time in log a to the third number in log b</P> <P>Dan</P> Thu, 14 May 2015 12:45:48 GMT https://community.splunk.com/t5/Splunk-Search/Joining-to-another-sourcetype-based-on-field-from-one-log/m-p/110702#M28936 danoconnl 2015-05-14T12:45:48Z https://community.splunk.com/t5/Splunk-Search/Joining-to-another-sourcetype-based-on-field-from-one-log/m-p/110703#M28937 <P>Depending on what your end goal is you should use either of the following commands:<BR /> - <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction">Transaction</A><BR /> You'd have to transact on log a's ID, then transact with the trnid to log b. You'd end up with a single event with all three log lines aggregated, and all the fields from all three events would be available in your new aggregated event.</P> <P>Your search would look something like this:</P> <P>&lt;base search for both log a and log b&gt; | transaction &lt;log a's id&gt; keeporphans=true | transaction trnid</P> <P>Make sure to use as many parameters/attributes in each of the transaction commands, because transaction can be an expensive command. Look into things like maxspan, maxpause, startswith, etc</P> <P>OR<BR /> - <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join">Join</A><BR /> Basically you'd have to treat every part as a database table and join them separately. You'd end up with all the fields from all the events under a single event, but you would not have all the _raw messages from each event. Also note that join uses subsearches; subsearches are not efficient and have a default 10k limit to resulting events.</P> <P>Your search would look something like this:</P> <P>&lt;your base search for log a type 1 events &gt; | join &lt;log a's id&gt; [search &lt;your base search for log a type 2 events&gt; | join trnid [search &lt;base search for log b&gt;</P> <P>Hope this helps</P> <P>--- EDIT: fixed typos ---</P> Thu, 14 May 2015 13:48:18 GMT https://community.splunk.com/t5/Splunk-Search/Joining-to-another-sourcetype-based-on-field-from-one-log/m-p/110703#M28937 aholzer 2015-05-14T13:48:18Z https://community.splunk.com/t5/Splunk-Search/Joining-to-another-sourcetype-based-on-field-from-one-log/m-p/110704#M28938 <P>Thanks for the help, figured it out</P> Thu, 14 May 2015 15:06:35 GMT https://community.splunk.com/t5/Splunk-Search/Joining-to-another-sourcetype-based-on-field-from-one-log/m-p/110704#M28938 danoconnl 2015-05-14T15:06:35Z