Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Confused with Transaction and map command

KBudhale
Observer
‎08-18-2021 07:32 AM

Hi I have two searches for  which searches pacs.200(input) and pacs.800(output) records  for an ID 

inxdex="xyz" source="source1"  "pacs.200" 
and  
inxdex="xyz" source="source1" "pacs.800"

i use transaction command to get transaction time between  pacs.200(input) and pacs.800(output)  which works good 

but i have one another source="source2"  which has same IDfield common but other diffrent fields  

I want to map "source2" data with output of my (source1)  To get some fields from Source2  but its a huge data (probably 200k and more ) so map is not working  properly here ? and i guess i cant use transaction command as i have already used this with first 2 searches can anyone help me with How should i map my source 2 data with my previous output ?

Labels (1)
Labels
0 Karma
Reply

shivanshu1593
Builder
‎08-19-2021 01:51 AM

Hello,

Please try something like this:

index="xyz" source="source1"  "pacs.200" 
AND
index="xyz" source="source1" "pacs.800"  |  join IDfield [index=your_index source=source 2 | table IDfield <add more fields that you want to see] | rest of your query

 

Let me know if it helps.

Thanks,

****If the answer helped, please upvote and accept it as a solution. It helps others to find the solution quickly****

 

 

 

 

 

 

 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply

KBudhale
Observer
‎08-19-2021 10:00 PM

Hi  @shivanshu1593 , Thanks for your help man but 

As i said there are too many records  i am  trying to map splunk Join has limitations so i tried using Join but it never works properly, That's why at first place i went for Transaction command 

 
0 Karma
Reply

shivanshu1593
Builder
‎08-20-2021 12:23 AM

Ah okay. I didn't read that part in the question. With large sets of data, map is even worse than join. Will take a lot of time, slow execution, missed results and you'll probably need more than maxsearches=1000+. Please try this:

| multisearch [search index="xyz" source="source1"  "pacs.200" 
AND
index="xyz" source="source1" "pacs.800"]

[search index=your_index source=source2 | rename IDfield as IDfield1]

| eval matched_IDfield = coalesce (IDfield,IDfield1)

| fields + <fields from both sources that you want to see in the result>

| stats list(*) as *

 

Let me know if this helps.

Thanks,

****If the answer helped, please upvote and accept it as a solution. It helps others to find the solution quickly****

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-20-2021 12:00 AM

Can you give some (masked) example data, your current query and example what you want like moc or something similar?

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top