https://community.splunk.com/t5/Splunk-Search/Struggling-with-a-multi-log-transaction/m-p/301569#M90805 <P>Awesome! Have a great weekend <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 07 Jul 2017 21:01:35 GMT coltwanger 2017-07-07T21:01:35Z https://community.splunk.com/t5/Splunk-Search/Struggling-with-a-multi-log-transaction/m-p/301565#M90801 <P>I'm trying to establish a transaction. The information is in two different indexes, different sourcetypes, etc. Basically what I've got in index 1 is a bunch of XML-formatted Windows event log data...I'm able to successfully do the necessary search, run an spath on it to extract the field/value I need (a domain\username), etc. The other index contains pretty basic log data, including a field named "SlotID" that contains data formatted as domain\username. I'm also able to run a search successfully to grab that data. This is what the beginning of my search looks like:</P> <P>host= (index=main sourcetype= Message=) OR (index=wineventlog EventID=800) | spath output=user path=Event.UserData.EventXML.param1 | eval lcuser=lower(user)</P> <P>At that point if I go look at my search results I have all the data I need to get the transaction duration (which starts with the EventID=800 and ends with the log message). My problem is the common value resides in two differently-named fields (lcuser and SlotID). I have tried rename...but end up with only one event type "winning" (whichever one I rename last) and containing the new/renamed field). Same deal with eval to a new field...the last eval wins and the first eval no longer contains that field.</P> <P>I'm lost and really hoping someone can lend a hand...been beating my head against the wall on this for the better part of 4 hours.</P> <P>TIA!</P> Fri, 07 Jul 2017 19:09:58 GMT https://community.splunk.com/t5/Splunk-Search/Struggling-with-a-multi-log-transaction/m-p/301565#M90801 mgagliardi 2017-07-07T19:09:58Z https://community.splunk.com/t5/Splunk-Search/Struggling-with-a-multi-log-transaction/m-p/301566#M90802 <P>Have you tried coalesce?</P> <P>| eval combined=coalesce(lcuser, SlotID)</P> Fri, 07 Jul 2017 20:20:46 GMT https://community.splunk.com/t5/Splunk-Search/Struggling-with-a-multi-log-transaction/m-p/301566#M90802 coltwanger 2017-07-07T20:20:46Z https://community.splunk.com/t5/Splunk-Search/Struggling-with-a-multi-log-transaction/m-p/301567#M90803 <P>Dude, you're a damn witch! That's got it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Thanks so much, you just ended my week on a positive note.</P> Fri, 07 Jul 2017 20:47:47 GMT https://community.splunk.com/t5/Splunk-Search/Struggling-with-a-multi-log-transaction/m-p/301567#M90803 mgagliardi 2017-07-07T20:47:47Z https://community.splunk.com/t5/Splunk-Search/Struggling-with-a-multi-log-transaction/m-p/301568#M90804 <P>coltwanger's response was the (or at least a) correct answer, it worked for my use case.</P> Fri, 07 Jul 2017 20:59:05 GMT https://community.splunk.com/t5/Splunk-Search/Struggling-with-a-multi-log-transaction/m-p/301568#M90804 mgagliardi 2017-07-07T20:59:05Z https://community.splunk.com/t5/Splunk-Search/Struggling-with-a-multi-log-transaction/m-p/301569#M90805 <P>Awesome! Have a great weekend <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 07 Jul 2017 21:01:35 GMT https://community.splunk.com/t5/Splunk-Search/Struggling-with-a-multi-log-transaction/m-p/301569#M90805 coltwanger 2017-07-07T21:01:35Z