https://community.splunk.com/t5/Splunk-Search/Transactions-using-different-identifying-fields/m-p/141628#M39256 <P>Attached is some data that you should be able to use to reproduce what I am trying to achieve.</P> <P>Events.csv – extract of raw_field and sourcetype<BR /> Field extractions.txt – extract of field extractions from props.conf</P> <P>I'm trying to to follow the flow of transactions using Splunk.</P> <P>Transactions use different identifiers as they progress through which are: ORDER_NUMBER, CAR_PDR, CAR_PCR, PFM_PDR, PFM_PCR</P> <P>I an using joins to make sense of the results:</P> <P>chain=* | join PFM_PCR type=outer [search PFM_PCR=* PFM_PDR=<EM>] | join CAR_PCR type=outer [search CAR_PCR=</EM> CAR_PDR=<EM>] | join PFM_PDR type=outer [search ORDER_NUMBER=</EM> PFM_PDR=<EM>] | join CAR_PDR type=outer [search ORDER_NUMBER=</EM> CAR_PDR=*]| transaction ORDER_NUMBER</P> <P>I thought I didn’t need the joins and could do the following instead:</P> <P>chain=* | transaction ORDER_NUMBER CAR_PDR CAR_PCR PFM_PDR PFM_PCR</P> <P>but this had the effect of creating transactions that had all the keys as the tuple for the transaction ID. So we got a transactions for (order1,car_pdr1,…), (order1,car_pdr2,…) etc</P> <P>is there a better way of doing the transaction on ORDER_NUMBER that avoids all those messy joins?</P> Mon, 28 Sep 2020 18:56:08 GMT himynamesdave 2020-09-28T18:56:08Z https://community.splunk.com/t5/Splunk-Search/Transactions-using-different-identifying-fields/m-p/141628#M39256 <P>Attached is some data that you should be able to use to reproduce what I am trying to achieve.</P> <P>Events.csv – extract of raw_field and sourcetype<BR /> Field extractions.txt – extract of field extractions from props.conf</P> <P>I'm trying to to follow the flow of transactions using Splunk.</P> <P>Transactions use different identifiers as they progress through which are: ORDER_NUMBER, CAR_PDR, CAR_PCR, PFM_PDR, PFM_PCR</P> <P>I an using joins to make sense of the results:</P> <P>chain=* | join PFM_PCR type=outer [search PFM_PCR=* PFM_PDR=<EM>] | join CAR_PCR type=outer [search CAR_PCR=</EM> CAR_PDR=<EM>] | join PFM_PDR type=outer [search ORDER_NUMBER=</EM> PFM_PDR=<EM>] | join CAR_PDR type=outer [search ORDER_NUMBER=</EM> CAR_PDR=*]| transaction ORDER_NUMBER</P> <P>I thought I didn’t need the joins and could do the following instead:</P> <P>chain=* | transaction ORDER_NUMBER CAR_PDR CAR_PCR PFM_PDR PFM_PCR</P> <P>but this had the effect of creating transactions that had all the keys as the tuple for the transaction ID. So we got a transactions for (order1,car_pdr1,…), (order1,car_pdr2,…) etc</P> <P>is there a better way of doing the transaction on ORDER_NUMBER that avoids all those messy joins?</P> Mon, 28 Sep 2020 18:56:08 GMT https://community.splunk.com/t5/Splunk-Search/Transactions-using-different-identifying-fields/m-p/141628#M39256 himynamesdave 2020-09-28T18:56:08Z https://community.splunk.com/t5/Splunk-Search/Transactions-using-different-identifying-fields/m-p/141629#M39257 <P>So transaction should be working exactly as you're expecting here. Consider:</P> <PRE><CODE>event=1 field1=foo event=2 field1=foo event=3 field1=foo field2=bar event=4 field2=bar event=5 field2=bar </CODE></PRE> <P>If you run <CODE>|transaction field1 field2</CODE> you'll actually get a single event based containing 1 through 5. This is because it's looking for transitive relationships, and as long as there is at least one event where fields overlap, it'll consider them joined. </P> <P>However, that ONLY works if you have some overlap connecting events. </P> <P>Your sample data doesn't seem to include everything needed to test this. For example, there are no events that meet the <CODE>EXTRACT-chain,PFM_PDR,File_name</CODE>, <CODE>EXTRACT-chain (PcR finished)</CODE>, <CODE>EXTRACT-PFM_PcR,PFM_PcR_type</CODE>, <CODE>EXTRACT-PFM_PDR,PFM_PcR,chain,Product_name</CODE> extractions from the PSM_FILE sourcetype. </P> Wed, 11 Feb 2015 17:35:14 GMT https://community.splunk.com/t5/Splunk-Search/Transactions-using-different-identifying-fields/m-p/141629#M39257 emiller42 2015-02-11T17:35:14Z https://community.splunk.com/t5/Splunk-Search/Transactions-using-different-identifying-fields/m-p/141630#M39258 <P>Hi david</P> <P>While not exactly what you are asking for, you might be able to get around the problem by using the stats command and list() by ORDER_NUMBER</P> <P>| stats count as eventcount list(_raw) as events,list(PFM_PCR) as PFM_PCR,list(CAR_PCR) as CAR_PCR,list(PFM_PDR) as PFM_PDR,list(CAR_PDR) as CAR_PDR, range(_time) as duration by ORDER_NUMBER</P> <P>After this command you can apply some conditional searching to narrow down the results to fit your outer join "criterias"</P> <P>j</P> Mon, 28 Sep 2020 18:54:05 GMT https://community.splunk.com/t5/Splunk-Search/Transactions-using-different-identifying-fields/m-p/141630#M39258 jbjerke_splunk 2020-09-28T18:54:05Z