Splunk Search

Confused with Transaction and map command

KBudhale
Observer

Hi I have two searches for  which searches pacs.200(input) and pacs.800(output) records  for an ID 

inxdex="xyz" source="source1"  "pacs.200" 
and  
inxdex="xyz" source="source1" "pacs.800"

i use transaction command to get transaction time between  pacs.200(input) and pacs.800(output)  which works good 

but i have one another source="source2"  which has same IDfield common but other diffrent fields  

I want to map "source2" data with output of my (source1)  To get some fields from Source2  but its a huge data (probably 200k and more ) so map is not working  properly here ? and i guess i cant use transaction command as i have already used this with first 2 searches can anyone help me with How should i map my source 2 data with my previous output ?

Labels (1)
0 Karma

shivanshu1593
Builder

Hello,

Please try something like this:

index="xyz" source="source1"  "pacs.200" 
AND
index="xyz" source="source1" "pacs.800"  |  join IDfield [index=your_index source=source 2 | table IDfield <add more fields that you want to see] | rest of your query

 

Let me know if it helps.

Thanks,

****If the answer helped, please upvote and accept it as a solution. It helps others to find the solution quickly****

 

 

 

 

 

 

 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma

KBudhale
Observer

Hi  @shivanshu1593 , Thanks for your help man but 

As i said there are too many records  i am  trying to map splunk Join has limitations so i tried using Join but it never works properly, That's why at first place i went for Transaction command 

 
0 Karma

shivanshu1593
Builder

Ah okay. I didn't read that part in the question. With large sets of data, map is even worse than join. Will take a lot of time, slow execution, missed results and you'll probably need more than maxsearches=1000+. Please try this:

| multisearch [search index="xyz" source="source1"  "pacs.200" 
AND
index="xyz" source="source1" "pacs.800"]

[search index=your_index source=source2 | rename IDfield as IDfield1]

| eval matched_IDfield = coalesce (IDfield,IDfield1)

| fields + <fields from both sources that you want to see in the result>

| stats list(*) as *

 

Let me know if this helps.

Thanks,

****If the answer helped, please upvote and accept it as a solution. It helps others to find the solution quickly****

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Can you give some (masked) example data, your current query and example what you want like moc or something similar?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...