https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-list-events-together-that/m-p/278071#M83924 <P>@cmo87 - Did the answer provided by somesoni2 help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!</P> Fri, 24 Feb 2017 02:58:51 GMT aaraneta_splunk 2017-02-24T02:58:51Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-list-events-together-that/m-p/278068#M83921 <P>I have three different events that compose a single email transaction that I need to list together. The problem is that they don't have a single field in common across all three events.</P> <P>In eventA I have message_id and postfix_queue_id.<BR /> In eventB I have postfix_queue_id and PMX_queue_ID.<BR /> In eventC I have just the PMX_queue_ID.</P> <P>I feel like this should be a pretty simple search string, but I can't seem to get the syntax to spit out the results I want.</P> Tue, 29 Sep 2020 12:44:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-list-events-together-that/m-p/278068#M83921 cmo87 2020-09-29T12:44:08Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-list-events-together-that/m-p/278069#M83922 <P>Give this a try. This will add all three fields to all events (message_id, postfix_queue_id and PMX_queue_ID).</P> <PRE><CODE>(base search eventA) OR (base search eventB) OR (base search eventC) | eventstats values(postfix_queue_id) as temp by PMX_queue_ID | eval postfix_queue_id=coalesce(postfix_queue_id,temp) | eventstats values(PMX_queue_ID) as temp by postfix_queue_id| eval PMX_queue_ID =coalesce(PMX_queue_ID ,temp) | eventstats values(message_id ) as temp by postfix_queue_id PMX_queue_ID | eval message_id =coalesce(message_id ,temp) | fields - temp </CODE></PRE> <P>After that you can add appropriate command per your requirements. (transaction, stats, timechart etc)</P> Tue, 29 Sep 2020 12:43:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-list-events-together-that/m-p/278069#M83922 somesoni2 2020-09-29T12:43:41Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-list-events-together-that/m-p/278070#M83923 <P>Sweet. That method is going in my toolbox. </P> <P>This splunk / noSQL idea of just throwing everything in the same pot and then stirring until it unmixes itself. Brilliant.</P> Fri, 03 Feb 2017 21:19:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-list-events-together-that/m-p/278070#M83923 DalJeanis 2017-02-03T21:19:41Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-list-events-together-that/m-p/278071#M83924 <P>@cmo87 - Did the answer provided by somesoni2 help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!</P> Fri, 24 Feb 2017 02:58:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-list-events-together-that/m-p/278071#M83924 aaraneta_splunk 2017-02-24T02:58:51Z