Hi all, I'm a new Splunk user and I would like to have some help from you.
I have two query:
First query:
index=osb source=/applog/MtRot/ROT/proxy.log 3548 PS_WS_OM_NOTIFY
| xmlkv maxinputs=10000
| table OrderID transactionID StatusCode StatusDescription
Result:
OrderID transactionID StatusCode StatusDescription
3548 98f02a 5 Completed
Second query (executed after the first query result):
index=osb source=/applog/MtRot/ROT/proxy.log PS_WS_OM_NOTIFY 98f02a(from the first query)
| xmlkv maxinputs=10000
| table transactionID ResultCode ResultDescription
The two query have the "transactionID" as a common value, so I'd like to create a unique query in order to show one raw with all these field
table OrderID transactionID StatusCode StatusDescription ResultCode ResultDescription
Any suggestion? Thank you very much
Try
index=osb source=/applog/MtRot/ROT/proxy.log PS_WS_OM_NOTIFY
|stats values(OrderID) as OrderID ,values(StatusCode ) as StatusCode ,values(StatusDescription ) as StatusDescription ,values(ResultCode ) as ResultCode ,values(ResultDescription) as ResultDescription by transactionID
If you want the latest data only, then you may replace "values" with "latest"
Thank you again, now it works!!
Thank you Renjith for your support, I tried with your query but it doesn't show any result. Maybe because the query need the xmlkv maxinputs=10000 ? Thank you
yep sure, add all your search terms before the stats.
Try
index=osb source=/applog/MtRot/ROT/proxy.log PS_WS_OM_NOTIFY
|stats values(OrderID) as OrderID ,values(StatusCode ) as StatusCode ,values(StatusDescription ) as StatusDescription ,values(ResultCode ) as ResultCode ,values(ResultDescription) as ResultDescription by transactionID
If you want the latest data only, then you may replace "values" with "latest"