I have a transaction search that works great. The table that it produces is useful but i want to append/augment it with additional data that I am inserting into Splunk about these "jobId"s via the API.
jobId=* source="/logs/*" | transaction jobId startswith=QUEUED endswith=COMPLETED | table _time jobId duration
I can search for the additional data via this search. Returns information about the jobID such as video_width, video_height, etc.
source="augmentData-VideoId" jobId=3703a4e7cc51ac54 | table video_width video_height
I am having trouble on how to get the additional data into the first search without affecting the transaction duration time since these additional data events are added via a cron job way after that transaction is completed.
Try following:
jobId=* source="/logs/*" | transaction jobId startswith=QUEUED endswith=COMPLETED | table _time jobId duration | join jobId [search source="augmentData-VideoId" | stats count by jobId, video_width, video_height | field - count]
OR
jobId=* source="/logs/*" | transaction jobId startswith=QUEUED endswith=COMPLETED | table _time jobId duration | join jobId [search source="augmentData-VideoId" | fields jobId, video_width, video_height | dedup jobId, video_width, video_height]
final output- _time,jobId,duration,video_width,video_height
Try following:
jobId=* source="/logs/*" | transaction jobId startswith=QUEUED endswith=COMPLETED | table _time jobId duration | join jobId [search source="augmentData-VideoId" | stats count by jobId, video_width, video_height | field - count]
OR
jobId=* source="/logs/*" | transaction jobId startswith=QUEUED endswith=COMPLETED | table _time jobId duration | join jobId [search source="augmentData-VideoId" | fields jobId, video_width, video_height | dedup jobId, video_width, video_height]
final output- _time,jobId,duration,video_width,video_height
The first one works well. Did exactly want i wanted. Thanks!