I have a question, in microservice based platform where are getting several logs for the different application. Each application tracks unique transactions via a id, either a CorrelationId, SessionId, transactionid
I want to be able to put this is a lookup application.csv file and use it for same dashboard
so my lookup will look like
Application SourceLogs Unique_Identifier
App1 Application1.logs CorrelationId
App2 Application2.logs SessionId
App3 Application3.logs TransactionId
I have created a input where the user can select the Application via tkn_app
index=application_logs
| lookup application.csv SourceLogs as source | search Application=$tkn_app$
| bin span=5m _time
| stats dc(Unique_Identifier) AS TPS by _time
however this searches for Correlationid , SessionId and TransactionId and not the actual values, how to I make it so Unique_Identfier searches for the right metadata
Note the logs are in json format, so the fields Correlationid , SessionId and TransactionId are autodetected by Splunk
The search command does not support field names on the right of the = - it assumes the right side is a string.
Try using where, instead.
My question is not on the search string, my question is how to use field like CorrelationID, SessionID or TransactionID as a variable
The question is not about the search command, but the answer is. The existing query will not treat anything on the right side of = as a field ("variable"). Use the variable in a where command and it should work.
I did use the where clause and it dint work