Hi I have two searches for which searches pacs.200(input) and pacs.800(output) records for an ID
inxdex="xyz" source="source1" "pacs.200"
and
inxdex="xyz" source="source1" "pacs.800"
i use transaction command to get transaction time between pacs.200(input) and pacs.800(output) which works good
but i have one another source="source2" which has same IDfield common but other diffrent fields
I want to map "source2" data with output of my (source1) To get some fields from Source2 but its a huge data (probably 200k and more ) so map is not working properly here ? and i guess i cant use transaction command as i have already used this with first 2 searches can anyone help me with How should i map my source 2 data with my previous output ?
Hello,
Please try something like this:
index="xyz" source="source1" "pacs.200"
AND
index="xyz" source="source1" "pacs.800" | join IDfield [index=your_index source=source 2 | table IDfield <add more fields that you want to see] | rest of your query
Let me know if it helps.
Thanks,
S
****If the answer helped, please upvote and accept it as a solution. It helps others to find the solution quickly****
Hi @shivanshu1593 , Thanks for your help man but
As i said there are too many records i am trying to map splunk Join has limitations so i tried using Join but it never works properly, That's why at first place i went for Transaction command
Ah okay. I didn't read that part in the question. With large sets of data, map is even worse than join. Will take a lot of time, slow execution, missed results and you'll probably need more than maxsearches=1000+. Please try this:
| multisearch [search index="xyz" source="source1" "pacs.200"
AND
index="xyz" source="source1" "pacs.800"]
[search index=your_index source=source2 | rename IDfield as IDfield1]
| eval matched_IDfield = coalesce (IDfield,IDfield1)
| fields + <fields from both sources that you want to see in the result>
| stats list(*) as *
Let me know if this helps.
Thanks,
S
****If the answer helped, please upvote and accept it as a solution. It helps others to find the solution quickly****
Can you give some (masked) example data, your current query and example what you want like moc or something similar?