Splunk Search

Append data to a transaction

garland_tout
New Member

I have a transaction search that works great. The table that it produces is useful but i want to append/augment it with additional data that I am inserting into Splunk about these "jobId"s via the API.

 jobId=* source="/logs/*" | transaction jobId startswith=QUEUED endswith=COMPLETED | table _time jobId duration

I can search for the additional data via this search. Returns information about the jobID such as video_width, video_height, etc.

source="augmentData-VideoId" jobId=3703a4e7cc51ac54 | table video_width video_height

I am having trouble on how to get the additional data into the first search without affecting the transaction duration time since these additional data events are added via a cron job way after that transaction is completed.

Tags (2)
0 Karma
1 Solution

somesoni2
Revered Legend

Try following:

jobId=* source="/logs/*" | transaction jobId startswith=QUEUED endswith=COMPLETED | table _time jobId duration | join jobId [search source="augmentData-VideoId" | stats count by jobId, video_width, video_height | field - count]

OR

jobId=* source="/logs/*" | transaction jobId startswith=QUEUED endswith=COMPLETED | table _time jobId duration | join jobId [search source="augmentData-VideoId" | fields jobId, video_width, video_height | dedup jobId, video_width, video_height]

final output- _time,jobId,duration,video_width,video_height

View solution in original post

somesoni2
Revered Legend

Try following:

jobId=* source="/logs/*" | transaction jobId startswith=QUEUED endswith=COMPLETED | table _time jobId duration | join jobId [search source="augmentData-VideoId" | stats count by jobId, video_width, video_height | field - count]

OR

jobId=* source="/logs/*" | transaction jobId startswith=QUEUED endswith=COMPLETED | table _time jobId duration | join jobId [search source="augmentData-VideoId" | fields jobId, video_width, video_height | dedup jobId, video_width, video_height]

final output- _time,jobId,duration,video_width,video_height

garland_tout
New Member

The first one works well. Did exactly want i wanted. Thanks!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...