Splunk Search

Add transactions with a sub-search

Path Finder



Could you help me on the following search please?

I have a main search which groups me together all the events with a unique ID (these events are critical, warning and normal alerts that I index on Splunk).
I want to add a sub-search to my main search which could allow me to add other events in the form of a transaction. My problem here is that my unique ID in my main search is not the same as in my sub search.
this is what I want to do :

index=index1 (severity=2 OR severity=0 OR severity=1 OR (severity="-1" AND Function=Traps))
| eval ID=Service+"_"+Env+"_"+Apps+"_"+Function+"_"+managed_entity+"_"+varname
| addinfo

| append [search index=index_sqlprod-itrs_toc (managed_entity="vpw-neorc-103 - rec" OR managed_entity="vpw-neorc-903 - rec") rowname="ASC RecordingControl"
| eval ID=Service+"_"+Env+"_"+Apps+"_"+Function+"_"+varname
| addinfo
| sort _time asc
| eval peer_failed=if(severity=2,1,-1)
| streamstats sum(peer_failed) as failed_peers by ID
| eval failed_peers=if((failed_peers=1) AND (severity="0" OR severity="-1"),3,failed_peers)
| where NOT (failed_peers=1 OR failed_peers=0)
| sort _time desc
| transaction ID startswith=(failed_peers=2) endswith=(failed_peers=3) maxevents=2]

| transaction ID startswith=(severity=2) maxevents=2

 my goal is to bring these transactions together without having the same ID, is that possible?

Labels (4)
0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...