Archive

Need an alternative to transaction command for the following type of data set

Explorer

I have a data set like the below:

2017-04-26 10:00:00 correlationid=a1000 msg=testing1000
2017-04-26 10:02:00 correlation
id1=b1000 correlationid=a1000 msg=testing
2017-04-26 10:03:00 correlation
id1=b1000 msg=testing1
2017-04-26 10:04:00 correlationid1=b1000 msg=testing2
2017-04-26 10:00:00 correlation
id=a2000 msg=testing1000
2017-04-26 10:02:00 correlationid1=b2000 correlationid=a2000 msg=testing
2017-04-26 10:03:00 correlationid1=b2000 msg=testing1
2017-04-26 10:04:00 correlation
id1=b2000 msg=testing2
2017-04-26 10:05:00 correlationid1=b1000 correlationid2=c1000 msg=testing1
2017-04-26 10:06:00 correlation_id2=c1000 msg=testing2

I need to run a query which will map correlationid with its correlationid1 and in turn correlationid1 to correlationid2. I am able to get the list of events in this manner using the transaction command. However it is making my search query slow for large data sets. What would be the best alternative to transaction for this kind of data set? Thanks in advance.

Tags (1)
0 Karma

Path Finder

try this commands
streamstats, autoregress, delta, etc.

0 Karma

Explorer

Thank you, SplunkersRock. Can you please show me an example for the dataset I have given in my question above?

0 Karma