Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Append data to a transaction

garland_tout
New Member
‎11-21-2013 11:13 AM

I have a transaction search that works great. The table that it produces is useful but i want to append/augment it with additional data that I am inserting into Splunk about these "jobId"s via the API.

 jobId=* source="/logs/*" | transaction jobId startswith=QUEUED endswith=COMPLETED | table _time jobId duration

I can search for the additional data via this search. Returns information about the jobID such as video_width, video_height, etc.

source="augmentData-VideoId" jobId=3703a4e7cc51ac54 | table video_width video_height

I am having trouble on how to get the additional data into the first search without affecting the transaction duration time since these additional data events are added via a cron job way after that transaction is completed.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-21-2013 11:45 AM

Try following:

jobId=* source="/logs/*" | transaction jobId startswith=QUEUED endswith=COMPLETED | table _time jobId duration | join jobId [search source="augmentData-VideoId" | stats count by jobId, video_width, video_height | field - count]

OR

jobId=* source="/logs/*" | transaction jobId startswith=QUEUED endswith=COMPLETED | table _time jobId duration | join jobId [search source="augmentData-VideoId" | fields jobId, video_width, video_height | dedup jobId, video_width, video_height]

final output- _time,jobId,duration,video_width,video_height

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-21-2013 11:45 AM

Try following:

jobId=* source="/logs/*" | transaction jobId startswith=QUEUED endswith=COMPLETED | table _time jobId duration | join jobId [search source="augmentData-VideoId" | stats count by jobId, video_width, video_height | field - count]

OR

jobId=* source="/logs/*" | transaction jobId startswith=QUEUED endswith=COMPLETED | table _time jobId duration | join jobId [search source="augmentData-VideoId" | fields jobId, video_width, video_height | dedup jobId, video_width, video_height]

final output- _time,jobId,duration,video_width,video_height

Reply
Solved! Jump to solution

garland_tout
New Member
‎11-21-2013 01:39 PM

The first one works well. Did exactly want i wanted. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...